Malicious PDF — malware analysis report

Static analysis result for SHA-256 73b52c679ec6ea16…

MALICIOUS

PDF

31.4 KB Authoring application: Serif PagePlus
MD5: c66a84b51be2550193b982f9a1519aea SHA-1: 219803e17995c82387789d3bc1d3c5c5b25bf8e6 SHA-256: 73b52c679ec6ea162ccd80a68bbdb4dda40ee6d560d25b6fa8fb91b2ef5de38e
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or a method to distribute further malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shedrip.com/uploads/1/3/0/3/130313306/beful.pdf
    • http://pyright.net/uploads/1/3/0/6/130604538/jukosoduwega-sowofez-liwupamigisux-dalufuran.pdf
    • http://epicgymidaho.com/uploads/1/3/0/2/130272505/mujoloratumoxuvaro.pdf
    • http://mjtservices.info/uploads/1/3/0/7/130739274/vijorakuwin-wawuk-vilezupowune.pdf
    • http://amycakes.biz/uploads/1/3/0/5/130551096/fubedebo.pdf
    • http://edithbonilla.com/uploads/1/3/0/2/130274199/sobipopebonegan.pdf
    • http://bloodsugarbikemagic.com/uploads/1/3/0/7/130776399/tutoselizajega-xewajuvix-terenax-vasasekudubedeb.pdf
    • http://crawlspaceencapsulations.com/uploads/1/3/0/4/130483617/6284371.pdf
    • http://didlogic.org/uploads/1/3/0/4/130476069/pofad_zujerigetim_rewixixek.pdf
    • http://workintel.net/uploads/1/3/0/8/130873795/zekosoxokixuju.pdf
    • http://nesretreat.com/uploads/1/3/0/5/130588225/lofujiverafeg_junobuxib_nenuwizup.pdf
    • http://pasorobles.events/uploads/1/3/0/6/130639321/26fb5ab782513.pdf
    • http://holistichealthservicesavannah.com/uploads/1/3/0/5/130551880/1007c82fbbe83a.pdf
    • http://mchenryc.net/uploads/1/3/0/6/130621455/7760227.pdf
    • http://jonathandmello.com/uploads/1/3/0/7/130738974/tonubasaxajet_ritulan_zaporalixupude.pdf
    • http://emofsync.com/uploads/1/3/0/4/130483868/madedozutoveliv.pdf
    • http://sova1.com/uploads/1/3/0/2/130287533/femowuruwevagizipe.pdf
    • http://matt-dana-wedding.com/uploads/1/3/0/7/130775876/b2f24012f317c4.pdf
    • http://miftahinvestmentgroup.com/uploads/1/3/0/4/130477945/7519dc4.pdf
    • http://metropolis-exc.com/uploads/1/3/0/6/130639533/vejamusimar_nazoti_nulozabotixinik_zubixebupoja.pdf
    • http://christopherhoadley.org/uploads/1/3/0/7/130776818/nijuvudud.pdf
    • http://medios21.com/uploads/1/3/0/7/130740340/bugekekowo.pdf
    • http://sweetestdreams.org/uploads/1/3/0/5/130543772/130543772.html#total+knee+arthroplasty+surgical+technique+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001c99.bin
210584833909245f3e608d37729ad78122dab4d960ab7bee60f8eeeeb46c99f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1C99 6424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.