Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f0fda439abdf9bc…

MALICIOUS

PDF

39.9 KB Authoring application: Mobipocket Creator
MD5: de1745a19077884f730b3961130b849f SHA-1: 7b645787d173b2483042d8beb3e4b3e886c891fb SHA-256: 6f0fda439abdf9bc48456699f2e2053bafa1321e82cecb57018069748871b479
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute additional malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://autospadeuce.com/uploads/1/3/0/6/130604620/2343510.pdf
    • http://www.quitthecravings.com/uploads/1/3/0/5/130551475/foximumokuke.pdf
    • http://www.philippemora.net/uploads/1/3/0/5/130540619/d47ddee32017be1.pdf
    • http://hostmaster.haddingtongarden.com/uploads/1/3/0/8/130874180/lifopanobaxibakik.pdf
    • http://rankya.in/uploads/1/3/0/8/130874292/9fd7f72b1b.pdf
    • http://aaagospelminister.com/uploads/1/3/0/5/130551704/9451572.pdf
    • http://reimaginedclassrooms.com/uploads/1/3/0/5/130540928/rafekemenuxalumegumu.pdf
    • http://tappycard.io/uploads/1/3/0/5/130539114/1725392a36ce8.pdf
    • http://soundingboardperformance.com/uploads/1/3/0/4/130476605/1735592.pdf
    • http://skilledjoestore.com/uploads/1/3/0/3/130323209/3332585.pdf
    • http://bethdixart.com/uploads/1/3/0/7/130738771/gugiloba-suzazosuloj.pdf
    • http://ohokay.net/uploads/1/3/0/3/130313410/9284438.pdf
    • http://vintagehomecharleston.com/uploads/1/3/0/5/130543064/92256a72.pdf
    • http://secondchanceinspiring.org/uploads/1/3/0/3/130323341/faxumera.pdf
    • http://webdisk.delaneydrywall.com/uploads/1/3/0/6/130621946/f27f6803.pdf
    • http://thepacketpusher.net/uploads/1/3/0/8/130814774/8629216.pdf
    • http://bixbyhoco.com/uploads/1/3/0/7/130739549/f2f48bdc17406.pdf
    • http://buckssmokingbbq.com/uploads/1/3/0/6/130639145/95f7f3c.pdf
    • http://www.thirty-thoughts.com/uploads/1/3/1/0/131070940/c1fba4cd634f5.pdf
    • http://nutritiongirl.org/uploads/1/3/0/6/130603853/lujapedixilobudugik.pdf
    • http://mavasol.nl/uploads/1/3/0/7/130739037/jadufe.pdf
    • http://www.indumentis-cl.com/uploads/1/3/0/4/130489185/3504287.pdf
    • http://www.cameoreactions.com/uploads/1/3/0/7/130740184/tamukorobexuvojarep.pdf
    • http://urg.brdge.org/uploads/1/3/0/4/130483396/130483396.html#editing+pdf+files+online+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000037d2.bin
2ffbf734f6100a383814ee775bf9f6e847b545cd4a3b3dd0f2aa09fcbc19e3c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37D2 8608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.