Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a6978d1a96a6d13…

MALICIOUS

PDF

27.5 KB Authoring application: QPDF
MD5: 57af3575b38c3105f0960f8cae9a8149 SHA-1: 4f071b888a21da072fcb31721609e1dddcd9ea7c SHA-256: 6a6978d1a96a6d133eb2b2b56ff4fa1b3692b8a64d090eee3cb7e8802644ee89
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, classifying it as a phishing or redirection malware. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://krystalmichelle.com/uploads/1/3/0/4/130436152/mupevixetod_pobuzuge_tetegavatorarag_fofuna.pdf
    • http://partnerscapitaledu.com/uploads/1/3/0/2/130272325/2736859.pdf
    • http://konradhansen.com/uploads/1/3/0/5/130550833/wukivefuledopelukib.pdf
    • http://blythetierneydever.com/uploads/1/3/0/3/130313784/376573f607ebe.pdf
    • http://bringontheagame.com/uploads/1/3/0/6/130621479/773742.pdf
    • http://www.crabhousefortsmith.com/uploads/1/3/0/2/130288811/lenakep.pdf
    • http://ministryiq.net/uploads/1/3/0/6/130620290/lawile_popapidoxodin.pdf
    • http://payashton.com/uploads/1/3/0/2/130289279/togazulive.pdf
    • http://johnwhiteracing.com/uploads/1/3/0/5/130589313/tiwulikatevo.pdf
    • http://mountshastamassage.com/uploads/1/3/0/2/130287500/lupelojofiler_genevatid.pdf
    • http://ncphotgraphy.com/uploads/1/3/0/5/130541208/teduxuxuwajel-konijof.pdf
    • http://adsl-63-204-18-26.benefitplans.org/uploads/1/3/0/5/130543293/130543293.html#aha+take+on+me+tab

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001705.bin
31379017dd8fc0d3d1d00ef8203a5c7024bba28ad2f73e075e952b8258ec8150		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1705 6708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.