Malicious PDF — malware analysis report

Static analysis result for SHA-256 8e797244cac8032b…

MALICIOUS

PDF

33.5 KB Authoring application: PDFedit
MD5: abba7804cf706a9cc580d0b65e0e267f SHA-1: a000356ce5ff73283b643685db6dd5fc32a0a218 SHA-256: 8e797244cac8032be30bf691db7eec9b4c953d68d34b16d83bfa4c86b14f1563
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a link farm designed to redirect users to numerous other PDF files, masquerading as a "story book pdf free download". This is a common tactic for phishing or malware distribution. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or trojan downloaders.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sparkfaith.com/uploads/1/3/0/7/130775489/a33e3034ef.pdf
    • http://zenon-and-co.com/uploads/1/3/0/7/130739938/gipisosimuz.pdf
    • http://tanquerita.com/uploads/1/3/0/7/130738603/2755300.pdf
    • http://keynoteconnections.com/uploads/1/3/0/8/130814682/d69b912b4a.pdf
    • http://westvalleycdaap.com/uploads/1/3/0/4/130476688/jisanuvenoveta_liluzegoxutekis_ranura.pdf
    • http://nicholebertucci.com/uploads/1/3/0/2/130270936/7f19145e71dd.pdf
    • http://wizzteam.space/uploads/1/3/0/5/130542982/budivov_jemevobom.pdf
    • http://shelleycorr.com/uploads/1/3/0/5/130589384/dijefebivik-tebitirowuba-sudipe-kipud.pdf
    • http://tahitianvillageapartments.com/uploads/1/3/0/5/130551181/xulaluluwovusiw_wagimokaz_fosadixajamofan_nasavamafineba.pdf
    • http://janiceandersonmusic.com/uploads/1/3/0/2/130287937/bekogemujag_temapipax.pdf
    • http://thekashempire.com/uploads/1/3/0/6/130621570/dasedokubizejorif.pdf
    • http://tjscatering44.com/uploads/1/3/0/3/130313249/nitel-novupoxewa-guruzume-lewubizinagozi.pdf
    • http://sanprado.net/uploads/1/3/0/7/130739864/130739864.html#english+story+book+pdf+free+download

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002bf5.bin
8f2ac02af3d3ec537575f39fab3c350a22a1a5cef559bbf059e53b3a606e1f9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2BF5 7364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.