Malicious PDF — malware analysis report

Static analysis result for SHA-256 714c70e9d027bde6…

MALICIOUS

PDF

35.4 KB Authoring application: Soda PDF
MD5: 3526cb85fceb8deb65e80fca493fc5ff SHA-1: 6c33742e1580e1a8f331742c7e3f9768fed0404a SHA-256: 714c70e9d027bde60ecfe5a8409a971ede0442b066e0afcb7481a4f25f86ec3b
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF file contains a large number of embedded external links, as detected by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The ML classifier and ClamAV detection further support the malicious nature of this file, classifying it as phishing-related.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hostmaster.chartreuxcat.net/uploads/1/3/0/6/130604304/4836174.pdf
    • http://krispykleanautospa.com/uploads/1/3/0/7/130775688/2c9a768.pdf
    • http://www.beardugobabies.com/uploads/1/3/0/5/130541209/8283657.pdf
    • http://www.palmettocustomwoodworking.com/uploads/1/3/0/3/130323422/7862606.pdf
    • http://mid-americathermalimaging.com/uploads/1/3/0/6/130604606/c4f0233bf8d3b.pdf
    • http://happyoilygoodness.com/uploads/1/3/0/7/130740191/b116e4b57ffc3.pdf
    • http://bhelandscaping.com/uploads/1/3/0/6/130605165/3395392.pdf
    • http://www.colormebeautiful.co/uploads/1/3/0/9/130969993/zukisotesejod.pdf
    • http://mestrenen.com/uploads/1/3/0/5/130550948/jizumawete.pdf
    • http://basauribai.com/uploads/1/3/0/6/130620198/zitigunafevok_busurap_kazaxi_musakisut.pdf
    • http://berryflats.net/uploads/1/3/0/8/130814085/vijapegexepatarirepe.pdf
    • http://www.geobiologiabarcelona.es/uploads/1/3/0/6/130621628/130621628.html#example+of+application+letter+for+civil+engineering+internship

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030a0.bin
28e142bc9ab54f261472069193a782318c26f7e952792bb96f835a68fa4fc336		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30A0 8852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.