Malicious PDF — malware analysis report

Static analysis result for SHA-256 8182b7b5c284c764…

MALICIOUS

PDF

42.8 KB Authoring application: Poppler-utils
MD5: 459ece5ab7b625bb27198f937223b0e2 SHA-1: 605618d22453a1def44c820b0a069a5475381e2c SHA-256: 8182b7b5c284c7648608b77a9c0220930036cfddc33a467c6907afe250f57c80
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a mass external link farm, with 25 links pointing to other PDF files hosted on various domains. The document body, though heavily obfuscated, contains text related to job applications, suggesting a lure to trick users into downloading further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://univarsublease.com/uploads/1/3/0/4/130489359/dewil.pdf
    • http://www.tbc-om.com/uploads/1/3/0/8/130813714/8561380.pdf
    • http://imuaxchange.com/uploads/1/3/0/4/130476143/mezimigolinof.pdf
    • http://bulletmotorsport.com/uploads/1/3/0/7/130739061/jamifajemipurelanono.pdf
    • http://getsresources.com/uploads/1/3/0/3/130323355/3922881.pdf
    • http://nickihumblesbridalbeauty.com/uploads/1/3/0/2/130272582/38ed2.pdf
    • http://www.v-asstllc.com/uploads/1/3/0/8/130813398/gizijazijotuj-misidunivewoko-nusobapotav-kibowebo.pdf
    • http://thematstudionj.com/uploads/1/3/0/7/130775971/nemesomo_zetumi.pdf
    • http://thecut.studio/uploads/1/3/0/3/130379651/4e91c1591bc1c17.pdf
    • http://www.kivelyoffice.net/uploads/1/3/0/4/130436343/1195359.pdf
    • http://pruned.in/uploads/1/3/0/5/130589033/4510824.pdf
    • http://mail.jolandeschotten.nl/uploads/1/3/0/9/130968995/72933.pdf
    • http://ncscja.org/uploads/1/3/0/7/130776561/3876681.pdf
    • http://tucfd03.com/uploads/1/3/0/5/130539457/6152569.pdf
    • http://optodyce.org/uploads/1/3/0/2/130291536/cdd0891d0eacc6.pdf
    • http://saeedalmuhairy.com/uploads/1/3/0/6/130603874/lixorepuzibezasiv.pdf
    • http://thecarpetsmithoftulsa.com/uploads/1/3/0/5/130546937/wasuzuraj.pdf
    • http://britanynavarretephotography.com/uploads/1/3/0/7/130776519/8016635.pdf
    • http://nekohentaicat.porncolection.com/uploads/1/3/0/3/130323139/dopituzewodidaxogej.pdf
    • http://pxrministries.org/uploads/1/3/0/7/130738564/laliv.pdf
    • http://mydobel.store/uploads/1/3/0/6/130604173/mifagax-fetomuwesezupit-guvozux.pdf
    • http://conflag.us/uploads/1/3/0/2/130272928/a46ef.pdf
    • http://golfmissiontrips.com/uploads/1/3/0/6/130604185/rovokokerojuwu_riweloti_pupemimefiz.pdf
    • http://beautyinyouhairsupply.com/uploads/1/3/0/6/130621794/goviwil.pdf
    • http://bergencountyfieldhockey.com/uploads/1/3/0/7/130739393/rovusab.pdf
    • http://weatherproofguide.com/uploads/1/3/0/6/130620354/130620354.html#employment+job+application+letter+of+intent+sample

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000043b1.bin
d72e370c07bfd0b9b79bde229abb3e24cc773662f1dd339f61c8a62afc8f7810		 pdf-font-stream PDF embedded font (sfnt) at offset 0x43B1 7824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.