Malicious PDF — malware analysis report

Static analysis result for SHA-256 69ee3ce86bdfbe6e…

MALICIOUS

PDF

39.8 KB Authoring application: Smallpdf Desktop
MD5: 98873fe0e36d7311712488f636a2bd77 SHA-1: 1f4a356f0365649ce9d615e70dd76650033eb68e SHA-256: 69ee3ce86bdfbe6e9afced060f4486d0662f9faaa74bb0ddaeb39b0a54d9c9f9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. ClamAV also detected this as Pdf.Phishing.TtraffRobotInstall-7605656-0, indicating a phishing or malicious distribution attempt. The document body, though partially corrupted, contains text related to medical conditions and also repeats many of the embedded URLs, reinforcing the link farm behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dieporzellanklinik.de/uploads/1/3/0/5/130539981/1286892.pdf
    • http://minimoti.com/uploads/1/3/0/5/130546183/7318748.pdf
    • http://merakiimeasure.com/uploads/1/3/0/4/130476978/zobakanep_zalezer_maziva_dabowopokiwugal.pdf
    • http://avvocati4puntozero.it/uploads/1/3/0/7/130775511/c6f71d6c6b94.pdf
    • http://zioncommunityfarm.org/uploads/1/3/0/5/130544387/8074275.pdf
    • https://sogikokix.weebly.com/uploads/1/3/0/4/130476721/1343032.pdf
    • http://arlocksafe.com/uploads/1/3/0/6/130621349/1116711.pdf
    • http://embracinglifeconsulting.com/uploads/1/3/0/6/130639886/malabudagugufi.pdf
    • http://a1412531xstreamtravel.xsideas.com/uploads/1/3/0/4/130476313/130476313.html#ascaris+lumbricoides+treatment+and+medication

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011b7.bin
9f33d5e30e9d95a3a644d9599d249b9db760f91f7988ad4fd7a03e4086359e9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B7 7944 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.