Malicious PDF — malware analysis report

Static analysis result for SHA-256 82d74f440f6d9658…

MALICIOUS

PDF

31.1 KB Authoring application: pstoedit
MD5: ad219288cff550bca19e1e73f3dc8da7 SHA-1: bf3d1ddf29122d4165b56cafec59cfea4869e2d0 SHA-256: 82d74f440f6d965882bd91709147c534da9a16aea2e69ee0f4c788eb38fdfa92
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The PDF contains a large number of embedded external links to other PDF files hosted on Weebly subdomains. This technique is often used to create SEO link farms for phishing or to distribute malware. The document body itself is heavily obfuscated and contains what appears to be malformed text, suggesting it is not intended for direct user interaction but rather as a container for the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://mesupega.weebly.com/uploads/1/3/0/3/130379757/3953164.pdf
    • https://zulenoda.weebly.com/uploads/1/3/0/3/130313613/41290.pdf
    • https://genikodijimana.weebly.com/uploads/1/3/0/4/130476853/893976.pdf
    • https://bugasibekepusep.weebly.com/uploads/1/3/0/4/130488316/b9ab395.pdf
    • https://nalizoxuvot.weebly.com/uploads/1/3/0/4/130489228/c6f6b8568.pdf
    • https://vibezalusuguxu.weebly.com/uploads/1/3/0/4/130435652/3263750.pdf
    • https://totibepir.weebly.com/uploads/1/3/0/5/130546000/83bd1e7bdf2.pdf
    • https://jiwakefe.weebly.com/uploads/1/3/0/4/130483918/eb1b8ca.pdf
    • https://jifafave.weebly.com/uploads/1/3/0/5/130551185/sufejarovemu-nusatolagolobuz-tolafut-xixelopinaxel.pdf
    • https://mibowupoxemiraj.weebly.com/uploads/1/3/0/5/130551739/zebateb.pdf
    • https://punukufipitop.weebly.com/uploads/1/3/0/4/130476736/6559949.pdf
    • https://mowexuvuvi.weebly.com/uploads/1/3/0/4/130488412/1f4a256ec522a.pdf
    • https://sasexizow.weebly.com/uploads/1/3/0/2/130272973/8643826.pdf
    • https://rafilaluxonijew.weebly.com/uploads/1/3/0/4/130476150/130476150.html#odds+of+complete+placenta+previa+moving+after+20+weeks

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000129c.bin
103973e16de475474105be4961c1014f1cacb7eb7deb4aed126c1f2e34678415		 pdf-font-stream PDF embedded font (sfnt) at offset 0x129C 7088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.