Malicious PDF — malware analysis report

Static analysis result for SHA-256 75a953017cca74a5…

MALICIOUS

PDF

40.3 KB Authoring application: Smallpdf Desktop
MD5: 87c3ec50ceae61e7d7e79332e204d028 SHA-1: 1ce9913e35e9a20f45439e599d0b0fd5d644b9a9 SHA-256: 75a953017cca74a53d6e7b56154eed519d6a472840430432530306fba7e0152a
200 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which are structured as SEO-optimized PDF gateways, suggesting a link farm designed to redirect users. The document body, though partially corrupted, contains language related to insurance premium payments, aligning with the 'SE_PAYMENT_REDIRECT_LURE' heuristic. The presence of embedded URLs and the ClamAV detection strongly indicate malicious intent, likely to lead users to phishing or malware distribution sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://giftoffullness.com/uploads/1/3/0/5/130539758/wimolorelerew.pdf
    • http://kalaman.net/uploads/1/3/0/6/130604618/nuvomivadazikom-kuwitejora.pdf
    • http://northcountryhomeinspection.com/uploads/1/3/0/3/130323116/2437543.pdf
    • http://michaeljamesvocals.com/uploads/1/3/0/5/130590531/tizamure_jazajutiretexil.pdf
    • http://www.hildedramstad.no/uploads/1/3/0/2/130270953/pokagikojatax_lemugo.pdf
    • http://shaydjohnsonphotography.com/uploads/1/3/0/6/130621542/678174.pdf
    • http://workingdeadfilm.com/uploads/1/3/0/6/130639922/xabisobisolim-lulosugodiduz.pdf
    • http://livecellphone.com/uploads/1/3/0/5/130550983/zupazepebizugiz_sejiw.pdf
    • http://lucassincasa.com/uploads/1/3/0/5/130589097/9558823.pdf
    • http://www.integratedself.net/uploads/1/3/0/6/130620848/6136128.pdf
    • http://loveyourchildren.org/uploads/1/3/0/7/130739978/xerurenes.pdf
    • http://divadollscouture.com/uploads/1/3/0/2/130289322/7501145.pdf
    • http://juan-jaramillo.com/uploads/1/3/0/5/130589020/45fbb61.pdf
    • http://samevenson.com/uploads/1/3/0/3/130313170/beb59f9073629dc.pdf
    • http://sparksrvpark.com/uploads/1/3/0/6/130621477/8281176.pdf
    • http://comalcountyfamilylawyer.com/uploads/1/3/0/6/130639249/1165d3646ccdbff.pdf
    • http://jarredmatthes.org/uploads/1/3/0/8/130873807/senurovitamofev_nipij_woxoxoraj.pdf
    • http://extravirgincoffee.com/uploads/1/3/0/7/130739063/130739063.html#aegon+religare+term+plan+premium+payment

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003fec.bin
709140cbd52de9cc66f6f8486df51100642c5bda3ba822f786491519890744d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3FEC 8208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.