Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c214b551da5ad78…

MALICIOUS

PDF

40.2 KB Authoring application: PDFBox
MD5: 7a2e9d318b377e45e578e0a4eacfb336 SHA-1: bd4811154838717925bd05fc2093be2096cf2972 SHA-256: 6c214b551da5ad7812ea29af65563f01307dd6cf48bedaa0a6ded05c71a788f1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded URLs, forming a link farm, which is a common technique for phishing and distributing malware. The document body text, though heavily obfuscated, mentions 'Free answering machine app' and includes URLs pointing to other PDF files, suggesting a lure to download further malicious content. The ClamAV detection and ML classifier further support its malicious nature, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ponyenzo.com/uploads/1/3/0/6/130622093/2216315.pdf
    • http://3feetforpete.org/uploads/1/3/0/6/130621051/1f36ab13.pdf
    • http://newsellco.com/uploads/1/3/0/5/130539800/nirijugabadik-metakobov-lozarog.pdf
    • http://beekeepinginalaska.com/uploads/1/3/0/6/130639459/6533720.pdf
    • http://musicforsoho.com/uploads/1/3/0/5/130551754/zofuvalitux.pdf
    • http://gatepariksha.com/uploads/1/3/0/7/130739371/wufusuzud.pdf
    • http://runnersofthenish.com/uploads/1/3/0/5/130588633/rifunotuxituno.pdf
    • http://midmichiganstays.com/uploads/1/3/0/3/130323600/tifetupagisa.pdf
    • http://christchurchportland.org/uploads/1/3/0/7/130739284/7190536.pdf
    • http://girowiku.nembutaldelivery.com/uploads/2020/01/28/dovesasapefix-xidiwiguzosapux.pdf
    • http://foothillsbiblefellowship.com/uploads/1/3/0/4/130483759/130483759.html#free+answering+machine+app

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ae.bin
86f5fab33223b8af15de49f8d6c85f4599bab1dbcd0214ab7c04e0dc4977f496		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AE 8860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.