Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e273f01908a850b…

MALICIOUS

PDF

36.4 KB Authoring application: Solid Converter PDF
MD5: a811ade3bc57b61aa8e7c2d9d164afbd SHA-1: 73aa5f80b8dafe885b6394cba21a68483993857c SHA-256: 7e273f01908a850ba911314902b75189926d92588712b1ef49ff8c5658a53908
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs, many of which point to other PDF files, indicating a link farm designed to distribute malicious content. The heuristic 'PDF_SEO_LINK_FARM' and ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggest a phishing or malware distribution campaign. The document body, while containing some obfuscated text, also includes several of these malicious URLs, reinforcing the attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cresslandbythesplash.com/uploads/1/3/0/7/130775692/baa65f2b.pdf
    • http://platfo.com/uploads/1/3/0/7/130776661/jitever.pdf
    • http://sinmaps.com/uploads/1/3/0/4/130476396/dapobiwage_lerojobenuv_wiwid.pdf
    • http://costumearty.com/uploads/1/3/0/5/130544625/3914872.pdf
    • http://iwusigmapi.org/uploads/1/3/0/4/130478123/6747061.pdf
    • http://parnelldrum.studio/uploads/1/3/0/4/130478123/liresimulekizusili.pdf
    • http://autodiscover.pedicureherent.be/uploads/1/3/0/6/130604696/varezejeronuxokal.pdf
    • http://liveinemail.net/uploads/1/3/0/2/130270847/8774758.pdf
    • http://firstresponderu.com/uploads/1/3/0/6/130620710/aaab4dc2a.pdf
    • http://bboom.space/uploads/1/3/0/6/130639334/150e67b3.pdf
    • http://offthegridrecording.com/uploads/1/3/0/4/130483769/3519369.pdf
    • http://jakebrenneise.net/uploads/1/3/0/3/130313274/kamiruduv_leronijufaze_vitetedili.pdf
    • http://aikosilkart.net/uploads/1/3/0/8/130874361/8438805.pdf
    • http://legendaryhobbies.com/uploads/1/3/0/3/130313103/sedepitof_zakizotukalem.pdf
    • http://bhamorthopedicacupuncture.com/uploads/1/3/0/8/130814209/7563338.pdf
    • http://readingforliberation.com/uploads/1/3/0/6/130639217/pomode-ziwaf-butewetoliso.pdf
    • http://juvenileaidsierraleone.com/uploads/1/3/0/6/130605510/405cc840c59b7.pdf
    • http://americangovernmentservices.org/uploads/1/3/0/6/130620267/4c29f.pdf
    • http://pdxart.net/uploads/1/3/0/5/130588490/zaden.pdf
    • http://helenshanks.org/uploads/1/3/0/7/130776580/jitutoxebulikejasil.pdf
    • http://thedesigndevil.com/uploads/1/3/0/5/130542813/setopikudi.pdf
    • http://wenji.bpmtc.com/uploads/1/3/0/5/130551429/130551429.html#ayyappa+swamy+bhakthi+geethalu+downloading

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d4d.bin
8f728532216567db5741dbef4d6a4b5f2ae9474f8734e60ba44f565476004ab0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D4D 7984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.