Malicious PDF — malware analysis report

Static analysis result for SHA-256 6d08a435bd2acf45…

MALICIOUS

PDF

40.5 KB Authoring application: GIMP
MD5: 504f632dcb92ba37c51605d33b746055 SHA-1: ab6c9ba121ec76e6cefc790557bb8500c2369110 SHA-256: 6d08a435bd2acf458359a5ce35bcc69b8024c2c6169141a7b302acacb86b0d38
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to other PDF files, suggesting a link farm designed to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. The document body, despite being heavily corrupted, contains references to educational topics and embedded URLs, reinforcing the lure-based attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bmorewell.com/uploads/1/3/0/3/130313610/f3a02d4.pdf
    • http://nshs.northsmithfieldschools.com/uploads/1/3/0/6/130640164/bokigifipexinu.pdf
    • http://evergreen-memorials.com/uploads/1/3/0/7/130776886/5157769.pdf
    • http://yogamamacb.com/uploads/1/3/0/6/130603948/64a64bee08b9b42.pdf
    • http://macrovisionhospitality.com/uploads/1/3/0/6/130620679/wekuxuwafe.pdf
    • http://bluedolphinphuket.com/uploads/1/3/0/4/130488476/kovisadalokajuluwibi.pdf
    • http://pvdloop.com/uploads/1/3/0/5/130590368/patukoda.pdf
    • http://patchcreativeunit.org/uploads/1/3/0/5/130544751/pavoxaxosazavisiruj.pdf
    • http://nicolehamilton.com.au/uploads/1/3/0/6/130605028/nanukatesumopo.pdf
    • http://cafeformosa.com/uploads/1/3/0/5/130550985/divap-temix-mefovajixivedul-sejawolubexepe.pdf
    • http://adoptme.info/uploads/1/3/0/2/130289493/130289493.html#igcse+biology+past+paper+questions+by+topic
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012a6.bin
554e007019ae2946e3318cc184ee2a0017a67c78f9478d48f82a475be30dd3d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A6 8024 bytes
font_01_sfnt_off00004e0a.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E0A 1708 bytes
font_02_sfnt_off000055fe.bin
b69ce027b6fb2f8a6f51bdaa9b5ecd21fba9dc79e25f7b9871139dd792271885		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55FE 16380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.