Malicious PDF — malware analysis report

Static analysis result for SHA-256 8986fd6ba5995126…

MALICIOUS

PDF

41.4 KB Authoring application: ImageMagick
MD5: 31a5550f426c1637d3f11a6612d0738a SHA-1: ee5724205ef99eef1b970b8607e57351261311c5 SHA-256: 8986fd6ba5995126cdf9a7ba77b59b5c1d603291af8808e2abf9a486acf39bbd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing:Spearphishing Attachment T1204.002 Malicious File: Malicious Link

The PDF file contains a large number of external links to other PDF files, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, suggesting a link farm or redirection strategy.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sleepdex.com/uploads/1/3/0/7/130740387/4072882.pdf
    • http://geoffreyhughgee.com/uploads/1/3/0/2/130287394/848b924e4c5.pdf
    • http://celinesestevez.com/uploads/1/3/0/2/130270900/2365483.pdf
    • http://lmylife.net/uploads/1/3/0/6/130620607/f61060482631d96.pdf
    • http://www.asouthernparadise.com/uploads/1/3/0/7/130739761/8d5a430fae27.pdf
    • http://theclementcanopysg.com/uploads/1/3/0/8/130873771/tapiwedexa-nulenal.pdf
    • http://grscloud.net/uploads/1/3/0/4/130488442/3227478.pdf
    • http://mta-sts.oxfordstation.pl/uploads/1/3/0/8/130873860/monipufazewixupiwe.pdf
    • http://www.thesupremecleanteam.com.au/uploads/1/3/0/7/130739024/1272921.pdf
    • http://myforeveryounghair.com/uploads/1/3/0/2/130289239/3685480.pdf
    • http://74-123-77-56.mgwnet.com/uploads/1/3/0/6/130621244/130621244.html#writing+task+2+ielts+academic+topics+2020
    • http://sleepdex.com/uploads/1/3/0/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e00.bin
47379fdb407f2f2736b15b3745ebeb7441c7f56d44c07a9c874c42ce34eb1b29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E00 17984 bytes
font_01_sfnt_off00004991.bin
a231dc7687e37725c9397bc8e1f340905ddde05f22cd8f1bce1125e4af5f0b44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4991 8756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.