Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c8c39f6b0146ca7…

MALICIOUS

PDF

44.3 KB Authoring application: QPDF
MD5: 43917cd1536459038498270fde72d801 SHA-1: 69e2fb3ab41e569030edd0e6e00c9aaf8d8c87de SHA-256: 7c8c39f6b0146ca7a4c39b3083b1c108175abecc094fe9f9d7589c5628728ae8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detection and ML classification strongly indicate maliciousness. The presence of numerous external links suggests an attempt to direct users to potentially harmful resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ownmyfarm.com/uploads/1/3/0/6/130621628/1715083.pdf
    • http://metablue.net/uploads/1/3/0/6/130621516/130333.pdf
    • http://jolie69.club/uploads/1/3/0/6/130604980/vutabiseguvut-redewaniluj-zazubufawozolop-gojogaxozerarem.pdf
    • http://indigenousrootscorp.com/uploads/1/3/0/6/130620391/tusiwunif.pdf
    • http://fmark.com/uploads/1/3/0/4/130488101/1875110.pdf
    • http://missbehave.website/uploads/1/3/0/6/130621406/lorogiresebagigaf.pdf
    • http://lukesimmonsbookx.com/uploads/1/3/0/4/130490117/zejekosofivosokinuza.pdf
    • http://newbornumc.org/uploads/1/3/0/5/130550714/1771456.pdf
    • http://online-wealth-college.com/uploads/1/3/0/4/130489423/488d1cc16.pdf
    • http://www.goldcoasttreeservice.com.au/uploads/1/3/0/5/130541597/piwivetiben-mulotatorul.pdf
    • http://smallbusinesswebdesign.company/uploads/1/3/0/7/130775979/zivitun.pdf
    • http://commerce-runningabusinessunit.com/uploads/1/3/0/4/130489097/kikujimukikudo_kolululefigen_xavofebefalo_xoresagusa.pdf
    • http://cpanel.t2troubleshooting.com/uploads/1/3/0/7/130775554/130775554.html#cover+letter+for+the+post+of+assistant+lecturer

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053ba.bin
081b023f5da9d6a9580da9819841217431888cc28c7d91a1391e9ee77596bbb0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53BA 8512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.