Malicious PDF — malware analysis report

Static analysis result for SHA-256 850baea322257eac…

MALICIOUS

PDF

53.1 KB Authoring application: Serif PagePlus
MD5: 1d966ea1bb23471cbdca4dfe15516b4b SHA-1: 0299ddd776cbe2ca3355a3a91f1e8d762d33c532 SHA-256: 850baea322257eac083919e16a00e12807adf6934d4ef144b6d9ea6bfc6b62f1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, many of which point to PDF files with numeric slugs, a common tactic for SEO spam or distributing malicious payloads. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oceanpioneer.net/uploads/1/3/0/5/130588983/gakoj.pdf
    • http://en-help.center/uploads/2020/01/27/2952397.pdf
    • http://nfctigers.com/uploads/1/3/0/2/130287942/soxul.pdf
    • http://updogcoffee.com/uploads/1/3/0/6/130620441/dinev.pdf
    • https://gevaladexadiv.weebly.com/uploads/1/3/0/4/130435602/ranutubizot.pdf
    • https://nadobeja.weebly.com/uploads/1/3/0/3/130379548/3075526.pdf
    • http://ne-surgerycenter.net/uploads/1/3/0/5/130541661/130541661.html#kerala+cute+baby+photos+free
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a6.bin
8c20d30267771c3da1da1d9422a0ca6c5271a2b444897ee4248bb26ba4943ed6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A6 8616 bytes
font_01_sfnt_off00006988.bin
0bcb8714eeee09f3a0b97cfa4268358194ea58a2d09b0ea1e98cdb863a7a445a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6988 16404 bytes
font_02_sfnt_off00008005.bin
0d4109015733ce26e9bf1ca3cba5b61aa868114167b2bec12981ea867e5d965b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8005 10876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.