Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c28ba71afd587bb…

MALICIOUS

PDF

62.4 KB Authoring application: Pdftk
MD5: dcac54c19cf6d28dfb15ff06a1b4963a SHA-1: 3cf7c7c770aa4e12903197f3cceb97f0e6ab10dc SHA-256: 7c28ba71afd587bbfce038c096185b26148d04a4472b62e7d9380d4e395c60ca
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of embedded URLs pointing to external PDF files, suggesting a link farm or redirection mechanism. The document body is heavily obfuscated and does not provide clear user-facing content, but the presence of numerous external links is a strong indicator of malicious intent, likely for SEO spam or phishing. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tulatech.com/uploads/1/3/0/6/130621703/boxuwigujoj-julafekagub-paxixa-jinen.pdf
    • http://rootstogrow.com/uploads/1/3/0/5/130588499/nojerikojolel.pdf
    • http://wordofthecrossministries.com/uploads/1/3/0/2/130287930/fezirubuwobujebabifu.pdf
    • http://ns1.borkadancer.com/uploads/1/3/0/5/130550836/bowodewuxezoxov-zimirateni-fiporufo.pdf
    • http://personalinjurylawyer-calgary.com/uploads/1/3/0/7/130776239/bogunivo.pdf
    • http://enticionote.com/uploads/1/3/0/6/130604656/lopizopugejukix.pdf
    • http://btlcoregon.org/uploads/1/3/0/8/130813546/fokiro-zulinebodul-meruw.pdf
    • http://honda-va.com/uploads/1/3/0/5/130589216/2936589b166c9b2.pdf
    • http://www.themaidstonemarch.com/uploads/1/3/0/6/130604324/dajulo_mawizejiwipu_xizaxinupaj.pdf
    • http://onlythedrops.com/uploads/1/3/0/4/130476215/rogonebamuju_nanewugeg.pdf
    • http://juliepearlman.net/uploads/1/3/0/4/130436298/gewawug-xadubo-mesofuk-gozibepomiguxe.pdf
    • http://officialbrookekelly.com/uploads/1/3/0/5/130539840/loxitawog_subibukaxines_tiweberovov.pdf
    • http://engpossible.com/uploads/1/3/0/4/130483294/7561156.pdf
    • http://metroprointeriors.com/uploads/1/3/0/7/130738831/juxuvulovowapimirewe.pdf
    • http://www.ag-fashionagency.fr/uploads/1/3/0/7/130776204/lamiremovo.pdf
    • http://partypalscharacterrentalllc.net/uploads/1/3/0/7/130776810/6363854791.pdf
    • http://ncmodern.com/uploads/1/3/0/5/130539763/zekegivo.pdf
    • http://theelfbox.com/uploads/1/3/0/9/130969835/130969835.html#cholera+ppt+2019

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015a2.bin
32a56a37e879352edddc147b8ed1098dc0c8a4c05565513226d1eaa9f98d2365		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15A2 8780 bytes
font_01_sfnt_off0000baa1.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBAA1 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.