Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ca887fd06be0955…

MALICIOUS

PDF

31.6 KB Authoring application: ImageMagick
MD5: e2e4519800de96602f004c4f1ac45ace SHA-1: 397636ab7b11c916e0631c387210325b7629472e SHA-256: 6ca887fd06be09558eca4866be561ebb690a2e5ff9120e8df1cf133bf6143e82
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, indicating a link farm likely used for SEO manipulation or to distribute further malicious content. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall, and an ML classifier also flagged it as malicious. The embedded URLs are the primary IOCs, suggesting a phishing or content distribution attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cre8tivekidschildcaremn.com/uploads/1/3/0/4/130483806/09ab4911ce12f76.pdf
    • http://roryward.com/uploads/1/3/0/3/130312961/9717472.pdf
    • http://iuseelite.net/uploads/1/3/0/6/130604552/6188057.pdf
    • http://www.chilhowiechristianchurch.com/uploads/1/3/0/5/130545998/vibexatexer-vevenupekoke.pdf
    • http://www.foodhubonline.com/uploads/1/3/0/2/130289611/704793bd.pdf
    • http://healthyheartcirculationformula.com/uploads/1/3/0/8/130814591/pijadefeni.pdf
    • http://mrsac.net/uploads/1/3/0/5/130544390/xodivukikezipuz-luruwuwomiduda.pdf
    • http://cobaltcares.org/uploads/1/3/0/6/130639709/rizezidako_delif_ledopidu.pdf
    • http://fitrighthome.com/uploads/1/3/0/8/130813466/rekopojajupov.pdf
    • http://princetonphysicaltherapy.net/uploads/1/3/0/6/130621700/272349.pdf
    • http://thatiphoneshow.com/uploads/1/3/0/2/130289344/e21fa08b640.pdf
    • http://ufunny.net/uploads/1/3/0/6/130605089/nomiwofe.pdf
    • http://cherry-supply.com/uploads/1/3/0/7/130775858/lenulevoforafefa.pdf
    • http://brennanthefounder.com/uploads/1/3/0/2/130270945/1267510.pdf
    • http://www.trendythreadsboutique.shop/uploads/1/3/0/7/130775268/492a6.pdf
    • http://choice-components.com/uploads/1/3/0/5/130589165/levoberadufujuni.pdf
    • http://rntaudioemusica.com/uploads/1/3/0/7/130740138/130740138.html#durgasoft+core+java+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001fda.bin
5818301852138b99010243a2f13496024627c0b8381bbe1653c8e36236c649ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FDA 7760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.