Malicious PDF — malware analysis report

Static analysis result for SHA-256 66fa87748572e243…

MALICIOUS

PDF

34.9 KB Authoring application: PDFBox
MD5: bc231d2bbdb270ab2657c44fb5d7edd9 SHA-1: eb4f2ff86b03edbf0d12968e75dff84814c70b37 SHA-256: 66fa87748572e24305f39f7c454bad74bcfdc94c71499cbf4d9dd15f1adfc584
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was identified as malicious by multiple heuristics, including a critical PDF_SEO_LINK_FARM alert indicating a large number of external links. The embedded URLs likely lead to further malicious content or phishing sites. Although no scripts were explicitly extracted, the nature of the link farm suggests an attempt to redirect users to potentially harmful content, aligning with a phishing or malware distribution strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lllre.net/uploads/1/3/0/2/130287314/lumawapuvoduzew.pdf
    • http://thenailgoat.com/uploads/1/3/0/7/130775373/luvoxipixewa_bobemasimuga_balajiguzil.pdf
    • http://809sitemedia.com/uploads/1/3/0/5/130539111/8078f874bf8c2.pdf
    • http://scfodyb.com/uploads/1/3/0/6/130605447/tawij.pdf
    • http://ribligion.com/uploads/1/3/0/6/130620961/76aaa6696fb4.pdf
    • http://mypomskies.com/uploads/1/3/0/5/130542781/5952900.pdf
    • http://align432yoga.com/uploads/1/3/0/6/130620869/selobumubiv.pdf
    • http://www.rydbergengel.co/uploads/1/3/0/2/130287813/121402.pdf
    • http://iwishicoulddraw.com/uploads/1/3/0/6/130639933/warupagibuwefom.pdf
    • http://themeatlab.net/uploads/1/3/0/8/130874204/tidewetava-xexeju-nisekenazizidaf-lazamibotewunam.pdf
    • http://carolinaklein.com/uploads/1/3/0/6/130620981/fc70b4cb21cc2.pdf
    • http://sqlsoftwaremaintenance.com/uploads/1/3/0/9/130969639/4915870.pdf
    • http://maverickworldtravel.voyagerwebsites.com/uploads/1/3/0/6/130640053/130640053.html#marina+abramovic+cistac+reklama

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002fb1.bin
18cce6398633c3be7202e333d46ced56b5c691876f30db2fc37358a6cb3260ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FB1 8768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.