Malicious PDF — malware analysis report

Static analysis result for SHA-256 73d1d42664d53399…

MALICIOUS

PDF

47.6 KB Authoring application: PDF Studio
MD5: f9f083f720e7a097f2a3cf23015f88c8 SHA-1: 9227be230f6649d7a34344f3a324264e6cd98486 SHA-256: 73d1d42664d533995b3b6add069629c5e4462be17aee599c273c8817c43e5408
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded URLs, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or distribution mechanism. The ML_NYX_PDF_MALICIOUS and ClamAV detections confirm its malicious nature. While no scripts were explicitly extracted, the embedded URLs are the primary indicators of malicious activity, likely leading to further compromise or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schuberthackett.com/uploads/1/3/0/2/130291596/01f1b.pdf
    • http://kuhni-msc13.icu/uploads/2020/01/29/romutavufugaze.pdf
    • http://crompers.com/uploads/1/3/0/5/130545475/2627311.pdf
    • http://academy-millionaires.com/uploads/2020/01/28/8207740.pdf
    • http://fofiv.krediteka.ru/uploads/2020/01/27/mifuwonav.pdf
    • http://vedeforok.wedid.ru/uploads/2020/01/27/5666b3bca.pdf
    • http://moodish.org/uploads/1/3/0/5/130539936/volafi.pdf
    • http://realestatekash.buzz/uploads/2020/01/28/zamom.pdf
    • http://ketone.com/uploads/1/3/0/3/130313155/ragenazoxijo_vusurakakisi_beridunezamegu_pafinapana.pdf
    • http://nobitogi.invoicing.space/uploads/2020/01/28/jovodewolup.pdf
    • http://theladsonline.com/uploads/1/3/0/5/130538922/robevej.pdf
    • http://gogakibe.klopus.ru/uploads/2020/01/27/jadukixon.pdf
    • https://werozuzava.weebly.com/uploads/1/3/0/4/130489080/fogutos.pdf
    • http://secretgourmetpicnic.com/uploads/1/3/0/6/130604651/281842.pdf
    • http://misbailes.com/uploads/1/3/0/5/130550938/130550938.html#critical+thinking+analogies+answers
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013a9.bin
2ae2352c5303ee539ec472d3ac140031b6f9840558eb34ee55a27eaad3edaf05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13A9 8848 bytes
font_01_sfnt_off00007f8d.bin
2c32c498f23db3cae400dac070c72b38d41a5d5dbe5041cbe08e7cee44e1acfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F8D 2648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.