Malicious PDF — malware analysis report

Static analysis result for SHA-256 78fcccc0ea771b21…

MALICIOUS

PDF

40.2 KB Authoring application: Scribus
MD5: 159632f1ac849e33e8d888169e73ec02 SHA-1: befb584d97dc9069ecde8726fc4d53ad673d7344 SHA-256: 78fcccc0ea771b212bd6dc3ac27f7e04d9f7418596c4f77610eca1464a970464
212 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of embedded links to other PDF files, indicating a link farm designed to distribute malicious content. The heuristics suggest this is a phishing or payment redirection lure, aiming to trick users into downloading further malicious documents or providing sensitive information. The ML classifier and ClamAV detection strongly support its malicious nature.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.wedoitforthedogs.com/uploads/1/3/0/4/130477979/bc400d.pdf
    • http://callihanenglish.com/uploads/1/3/0/5/130550890/bonenol.pdf
    • http://stauffstauff.com/uploads/1/3/0/6/130639397/nobajipavuxal_jezoxuveg_xiniwopiliju_givixuz.pdf
    • http://hetbakpapier.com/uploads/1/3/0/2/130288932/pogiwilitusu.pdf
    • http://sbcweightlifting.com/uploads/1/3/0/6/130621284/5335789.pdf
    • http://alcojuice.com/uploads/1/3/0/8/130874563/xejafazowobitixa.pdf
    • http://vegangroupie.com/uploads/1/3/0/4/130436299/5007013.pdf
    • http://howlingmoonfox.com/uploads/1/3/0/6/130621649/8620396.pdf
    • http://www.polished2ashine.com/uploads/1/3/0/9/130969390/37191d940.pdf
    • http://mswilliamsonline.com/uploads/1/3/0/7/130775702/984e7.pdf
    • http://www.carowoods.co.uk/uploads/1/3/0/7/130775376/koleran.pdf
    • http://myswagbag.org/uploads/1/3/0/7/130738972/muloseg.pdf
    • http://mentalhealthhelpforyou.org/uploads/1/3/0/3/130323493/gudasewewelajolef.pdf
    • http://strengthpluscardio.com/uploads/1/3/0/4/130476150/jirejewun.pdf
    • http://42ndstreetsocial.com/uploads/1/3/0/6/130604257/701f711753b75.pdf
    • http://dedicated-22.pleasingfood.com/uploads/1/3/0/5/130539179/130539179.html#accounting+terminology+capital

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000427f.bin
5aa519d261eb15e410bc54f9922add5aba665f0fdbe928538a5e7a0414526e74		 pdf-font-stream PDF embedded font (sfnt) at offset 0x427F 7940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.