Malicious PDF — malware analysis report

Static analysis result for SHA-256 89c00fc58ac6467e…

MALICIOUS

PDF

66.5 KB Authoring application: Poppler-utils
MD5: 1182c9e1ddb7c0c9f4def0c13e1e4f3e SHA-1: 650868c3061bee4ccd52f36722e1d26bf559b445 SHA-256: 89c00fc58ac6467ecb5f34c8e92ac97e7de00a68a0c4c0812134de8cb5983a60
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic identified a large number of embedded external links, suggesting a link farm or distribution mechanism. The document body contains many of these URLs, which are likely used to redirect users to malicious content or further stages of an attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://brohamas.com/uploads/1/3/0/6/130620314/9586103.pdf
    • http://nuts4less.net/uploads/1/3/0/5/130540493/7070058.pdf
    • http://labviewcentral.com/uploads/1/3/0/6/130620808/9216488.pdf
    • http://hollymays.com/uploads/1/3/0/2/130271226/1f2f4cf.pdf
    • http://drgnzombiestournament.com/uploads/1/3/0/6/130639719/4281360.pdf
    • http://hesaidhesaid.co/uploads/1/3/0/7/130776795/xiwem.pdf
    • http://mysprout.shop/uploads/1/3/0/3/130323656/61e5764acb16c.pdf
    • http://leadingladies904.com/uploads/1/3/0/5/130551249/bekirefabudiberixoro.pdf
    • http://ninecriticalmonths.com/uploads/1/3/0/6/130604421/tanuselogifuxax-tuzixixemufur.pdf
    • http://africanvulture.com/uploads/1/3/0/3/130379067/d93ab6b32f2c730.pdf
    • http://torranceheating.net/uploads/1/3/0/5/130547116/nesusufexevu.pdf
    • http://normantownchristian.com/uploads/1/3/0/6/130639400/80aec7e68d1d2.pdf
    • http://9f60ljd503.com/uploads/1/3/0/8/130814157/4163246.pdf
    • http://showtimetravelegency.com/uploads/1/3/0/8/130874212/04560d.pdf
    • http://electro-haptics.com/uploads/1/3/0/7/130739488/jesexumomo.pdf
    • http://mx.dakotalandtrust.org/uploads/1/3/0/6/130604710/2fc41ee14e77.pdf
    • http://sta-66-99-58-220.ladse.org/uploads/1/3/0/2/130270847/130270847.html#surah+kahf+full+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000256a.bin
0d6aaff06cf3e2648070ededc602378e51ad5db51d87bae8cc568920bdbd4c4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x256A 7872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.