Malicious PDF — malware analysis report

Static analysis result for SHA-256 80576a4874b78e7b…

MALICIOUS

PDF

39.4 KB Authoring application: Soda PDF
MD5: c31b8b2694ce5a92f0e9bc8549b10bb5 SHA-1: d93f02edbc0f45a9b5c253a6fdaf2061ce58432e SHA-256: 80576a4874b78e7b13cf9e853a678524c451c5ff7278bb9dce64cd53e8591224
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with phishing or malware distribution. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://motwh.org/uploads/1/3/0/6/130603737/51079.pdf
    • http://kupcar.com/uploads/1/3/0/7/130739850/b6b58e0.pdf
    • http://myweeklyonline.com/uploads/1/3/0/6/130640239/boxepamo.pdf
    • http://unidosporlaprofesion.com.ar/uploads/1/3/0/7/130776101/bifizifiderura.pdf
    • http://3828riverroadbricknj.com/uploads/1/3/0/3/130323342/wigizixofur.pdf
    • http://kyledropp.com/uploads/1/3/0/4/130483492/pipubifad-bamowolazi-refapifomev-mofapavufiwob.pdf
    • http://nwrealtybrokers.com/uploads/1/3/0/6/130640231/4801120.pdf
    • http://sonicaarora.com/uploads/1/3/0/6/130621163/afec5d3.pdf
    • http://newearth.design/uploads/1/3/0/4/130476791/pusevujefej.pdf
    • http://cclmobile.org/uploads/1/3/0/5/130590168/8d1b3a51a82b.pdf
    • http://app.surveyswipe.com/uploads/1/3/0/6/130620979/6097c4ab8d41.pdf
    • http://www.hiddenbeautyofedwinstowe.com/uploads/1/3/0/6/130621060/7440154.pdf
    • http://navslaborers.org/uploads/1/3/0/4/130483924/3716553.pdf
    • http://avadhaniestate.net/uploads/1/3/0/3/130313359/xifonururoxowutog.pdf
    • http://couragedude.com/uploads/1/3/0/2/130289767/14773.pdf
    • http://purebark.com/uploads/1/3/0/6/130620970/27ebcd31.pdf
    • http://alleylouisville.com/uploads/1/3/0/6/130605174/338d5ec74168d4.pdf
    • http://webmail.smoochsoaps.com/uploads/1/3/0/3/130313428/6e7b141e01ee3.pdf
    • http://wiowigo.com/uploads/1/3/0/3/130323601/mebowitoviwusi_gopomazabekexo.pdf
    • http://nogenetix.com/uploads/1/3/0/5/130543035/3f2e9d0697cacd8.pdf
    • http://bikramyogaoswego.com/uploads/1/3/0/7/130776787/dazur.pdf
    • http://chrislockett.com/uploads/1/3/0/6/130640013/sifabikewofam.pdf
    • http://zuihaowanqipaiyouxi.br3h.com/uploads/1/3/0/8/130813866/130813866.html#profit+and+loss+account+balance+sheet+format

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038a6.bin
6ebe937fdd8e7b51615c35a0ff802533c2a61e11eaea237b08ececcb48c1f247		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38A6 7996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.