Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d4e1ced2f29842f…

MALICIOUS

PDF

44.4 KB Authoring application: Pdftk
MD5: 267cef5d2208b244137b7d4eaaa5f360 SHA-1: 74cf529e682f62d59b60ffa4ae8fbfadf401c434 SHA-256: 8d4e1ced2f29842f49174f0ffe48fa36308282ad9b469de55db10a0227e335df
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF_SEO_LINK_FARM heuristic indicates the presence of a mass external PDF link farm, with 25 links detected. The ML classifier and ClamAV detection strongly support a malicious classification. The embedded URLs are likely part of a phishing or traffic-driving scheme, aiming to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drashraf.co.uk/uploads/1/3/0/6/130605012/8701380.pdf
    • http://anufoundation.org/uploads/1/3/0/6/130639755/1749451.pdf
    • http://mishkinphoto.com/uploads/1/3/0/7/130740190/93effd.pdf
    • http://yorkshirecajun.com/uploads/1/3/0/6/130621002/d3451459500d.pdf
    • http://acsconsulting.online/uploads/1/3/0/3/130323896/jofonevifole_dapekem_fetovejaxaj.pdf
    • http://evq.ro/uploads/1/3/0/4/130435690/823396.pdf
    • http://mhr-international.eu/uploads/1/3/0/6/130620416/89d5e.pdf
    • http://iraberezenko.com/uploads/1/3/0/8/130874333/53afd7a8b44ad4.pdf
    • http://cinno.ca/uploads/1/3/0/6/130604580/4852776.pdf
    • http://blazessnowremoval.com/uploads/1/3/0/3/130313271/bevodapov.pdf
    • http://thebeautifulwomanjb.com/uploads/1/3/0/2/130272509/a74c619d164ad9.pdf
    • http://bitforlife.ru/uploads/2020/01/28/5833127.pdf
    • http://skillassoundandvision.com/uploads/1/3/0/6/130621740/goguwovosipoji_peferuxutazu.pdf
    • http://premiumrooms.com/uploads/1/3/0/5/130588297/2659060.pdf
    • http://warrenbaker.org/uploads/1/3/0/2/130271035/bimamukuku.pdf
    • http://poshgroom.com/uploads/1/3/0/6/130639956/7586156.pdf
    • http://smartbuyerstech.com/uploads/1/3/0/6/130620791/kaxer.pdf
    • http://myteachertoolbelt.com/uploads/1/3/0/6/130604918/3809069.pdf
    • http://mylenderscott.com/uploads/1/3/0/2/130272254/4017812.pdf
    • http://jsmtutoring.com/uploads/1/3/0/6/130604523/lilepulari.pdf
    • http://tophatalgarve.com/uploads/1/3/0/4/130476180/mexun.pdf
    • http://mikewilbanks.com/uploads/1/3/0/4/130488220/5d40ecab3f29.pdf
    • http://squaretaper.info/uploads/1/3/0/6/130639845/fb252015379edd.pdf
    • http://r3healthandfitness.com/uploads/1/3/0/3/130312914/3af2a7273.pdf
    • http://noramanca.com/uploads/1/3/0/6/130621545/jerebelup.pdf
    • http://blockchainambassador.ca/uploads/1/3/0/5/130589064/130589064.html#area+and+perimeter+of+square+in+java

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002fdd.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2FDD 16036 bytes
font_01_sfnt_off00004750.bin
8be5bef32e5108bd8e15c4dde1d031f9fa240f1971f4c9e20b4057f63c7337e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4750 8804 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.