Malicious PDF — malware analysis report

Static analysis result for SHA-256 7d97f79027f85301…

MALICIOUS

PDF

46.3 KB Authoring application: PDFedit
MD5: 1f3ef8978855a560e4cc691cd80d6e9f SHA-1: b13e45cc35cb999c7de8b8749f42f683f017581c SHA-256: 7d97f79027f853012a19f9aad0b1aa3a9d7ee11015e2ac36663bffb63c1f655a
172 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a mass external link farm, with many URLs pointing to PDF documents, and a callback phishing lure related to Aadhar card mobile number linking. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for phishing or credential harvesting. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://meghanacallahan.com/uploads/1/3/0/7/130739974/3614247.pdf
    • https://vozugufuzul.weebly.com/uploads/1/3/0/2/130288468/neripobisawoge_musivigudume_sosukepib.pdf
    • http://lapen.us/uploads/1/3/0/6/130640107/bodinoxalodekifam.pdf
    • http://galadus.pl/uploads/1/3/0/6/130605447/nagimedibu_vekozorojaxid_novulopabatokob_siwapoluridub.pdf
    • http://cneachome.com/uploads/1/3/0/6/130639267/b9e0284.pdf
    • http://michaelshusko.com/uploads/1/3/0/4/130435888/130435888.html#aadhar+card+mobile+number+link+form+download
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001103.bin
18ae7d238de9d186aa2cb2ca64a92f5a90e40e94c4643cc482e0b2e5df520354		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1103 8080 bytes
font_01_sfnt_off0000633d.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x633D 1708 bytes
font_02_sfnt_off00006c04.bin
f0bc93c773957a4957c5d50397d99d2cb866b99162f26d0eef4a7b05ba57595c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C04 8840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.