Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fdb01d062bf5d13…

MALICIOUS

PDF

43.8 KB Authoring application: Serif PagePlus
MD5: d1cb189a6fa2cb88cb22770ed11357cd SHA-1: ad4339aa1e3052f2122c4e3af53888781b2bbdaf SHA-256: 7fdb01d062bf5d13c23962c3cab5b22a9281923f49254d43785f73ea1743defa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. ClamAV and ML heuristics confirm the malicious nature of the file, classifying it as phishing or a downloader. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://12250parkway.com/uploads/1/3/0/6/130603859/siguber.pdf
    • http://nbrgraphs.com/uploads/1/3/0/4/130476525/guzuludu.pdf
    • http://naturecoastladyanglers.com/uploads/1/3/0/2/130273589/8337377.pdf
    • http://tomasharanphoto.com/uploads/1/3/0/3/130323430/bimavo.pdf
    • http://alixxpartners.com/uploads/1/3/0/2/130289237/wibeloto_sixeno_jokifuli_vujalim.pdf
    • http://stop-n-smelltheflowers.com/uploads/1/3/0/6/130604209/a34dfdda.pdf
    • http://tailormadeventures.com/uploads/1/3/0/2/130272333/20c9a2c.pdf
    • http://ishiro.com/uploads/1/3/0/3/130313634/wuxoxuko.pdf
    • http://kinstontruckingtransport.com/uploads/1/3/0/3/130313463/6086540.pdf
    • http://coffmannursing.com/uploads/1/3/0/7/130739340/130739340.html#araxis+merge+professional

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a1.bin
954fa81a76464f278b88219628bd963bff570ddf04970318532c80cd4276d240		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A1 8176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.