Malicious PDF — malware analysis report

Static analysis result for SHA-256 7330d17dd1a2dfec…

MALICIOUS

PDF

34.1 KB Authoring application: PDF Studio
MD5: 9196982c43e66175c907987ddd714a1a SHA-1: 63ce326d71901e8089e0eed7eb619717f7adae1b SHA-256: 7330d17dd1a2dfec5af502f996038e0032aa96066aceea06fb4c7adbed7d95b4
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was flagged by multiple heuristics, including a critical finding for a link farm containing 26 external PDF links. The ML classifier and ClamAV also identified it as malicious. The embedded URLs likely serve as a lure to redirect users to malicious content or phishing pages, consistent with a phishing or content-luring attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://opentimeline.com/uploads/1/3/0/5/130551607/4925178.pdf
    • http://maconsummerfest.org/uploads/1/3/0/7/130738863/xonobasot.pdf
    • http://laextraordinaire.com/uploads/1/3/0/5/130589006/pumiwobofawibimabi.pdf
    • http://true49.ca/uploads/1/3/0/5/130590036/wazijipafawa.pdf
    • http://gz9c2.slpny.com/uploads/1/3/0/7/130740497/susuberevutag.pdf
    • http://rooflocators.com/uploads/1/3/0/7/130775063/8886990b.pdf
    • http://www.indigomountainpr.com/uploads/1/3/0/7/130776523/e36d5.pdf
    • http://martialartsphotographer.com/uploads/1/3/0/9/130969399/wetivuja-moxunuvubanifo-nedebi-foketawegopo.pdf
    • http://clipture.net/uploads/1/3/0/6/130604342/1343066.pdf
    • http://www.spiritascend.com/uploads/1/3/0/6/130620265/purujuwi.pdf
    • http://www.satinandrose.com/uploads/1/3/0/3/130313070/genopizaxu-selalumo-nizudovekik.pdf
    • http://bullsandbarbells.com/uploads/1/3/0/2/130271214/zofivafivosa.pdf
    • http://freecoolmathgames.org/uploads/1/3/0/6/130620565/d286dc5e1fb6b.pdf
    • http://andmerchant.org/uploads/1/3/0/8/130814083/130814083.html#cara+mengubah+format+jpg+ke+pdf+di+laptop

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c09.bin
15fdae8bc14b0cd2d832ca7437e8f5f6d64617b5012e6eaa919c1f0c4de1a5ea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C09 7896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.