Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fd978d9b9751c43…

MALICIOUS

PDF

40.9 KB Authoring application: Adobe PDF Library 9.0
MD5: f6330336d880409fadab2dd78143cb5f SHA-1: 920796e42b65edd88a97997d048895815bfdd6d7 SHA-256: 6fd978d9b9751c436c1d955e6924d6507333cbae6fe8df467241e5587ce47eaa
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to other PDF files, a common technique for SEO poisoning or distributing further malicious content. The heuristic 'SE_CALLBACK_LURE' suggests a phishing or scam pretext, and ClamAV detection confirms maliciousness. The embedded links likely lead to further stages of infection or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adamhenryink.com/uploads/1/3/0/5/130588620/pezevuwileweludexib.pdf
    • http://amicoffeecompany.com/uploads/1/3/0/8/130813550/gemijokeledu.pdf
    • http://mingrentang.bpmtc.com/uploads/1/3/0/5/130588240/xogipa_dajozef.pdf
    • http://hostmaster.kdbug.com/uploads/1/3/0/8/130815381/sapop.pdf
    • http://agapefreetractministry.com/uploads/1/3/0/6/130620705/kumone-jajujabojevolu-kujijizajetez.pdf
    • http://ngoji.com/uploads/1/3/0/6/130605010/4da1a8.pdf
    • http://asuntosydocumentoslegales.com/uploads/1/3/0/6/130604027/67138.pdf
    • http://www.curvybridalsboston.com/uploads/1/3/0/6/130603728/1f2db00bc.pdf
    • http://www.threegracesestate.com/uploads/1/3/0/4/130483062/polakit.pdf
    • http://mobileopsdetailing.com/uploads/1/3/0/2/130270996/ab510b7042b.pdf
    • http://sylvanlaketech.ca/uploads/1/3/0/2/130288520/77b3bc6f7a.pdf
    • http://homeworkstrike.com/uploads/1/3/0/7/130739852/muwitilejunotij-dobezej-wifewanarudasob.pdf
    • http://griffoncommodities.com/uploads/1/3/0/5/130544754/dosijitazafolezugi.pdf
    • http://outdoorsmetalguy.com/uploads/1/3/0/8/130873989/zogugopafaxu-lepokawoxejuxu-nafodobadeki.pdf
    • http://businessrecords.net/uploads/1/3/0/4/130475939/gevupafobasamevolaj.pdf
    • http://conlegal.com.co/uploads/1/3/0/5/130551174/tagofigexodudavapom.pdf
    • http://www.masseydefense.com/uploads/1/3/0/6/130621859/679b4.pdf
    • http://www.livelovelash.net/uploads/1/3/0/7/130775186/tumerunotura-kajinofipipilos-nizeb-bopijo.pdf
    • http://vps12-internal.pleasingfood.com/uploads/1/3/0/6/130620833/130620833.html#gta+5+cheats+xbox+1+fast+cars

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000040cc.bin
9c731fdb63d53ba58b8fffdac4b2682384375ea461b70063b4d6e75c4fe46c15		 pdf-font-stream PDF embedded font (sfnt) at offset 0x40CC 8356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.