Malicious PDF — malware analysis report

Static analysis result for SHA-256 9267636baee60478…

MALICIOUS

PDF

46.0 KB Authoring application: Smallpdf Desktop
MD5: d6097b3d7ad4c897f6a3095d7cfe45c6 SHA-1: b055b6220a9ce14624aa213572b7012670521904 SHA-256: 9267636baee604781bf4609c6c14f279a6912086ceabd701f9af4fa2b4226214
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs, identified as a link farm, which is a common technique for distributing malicious content or conducting phishing attacks. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs likely lead to further stages of the attack, such as downloading additional payloads or redirecting to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thatclassiccarshow.com/uploads/1/3/0/2/130274146/resolutowud.pdf
    • http://moses-michael.com/uploads/1/3/0/5/130547150/6495710.pdf
    • http://mycgexpress.com/uploads/1/3/0/3/130313400/59ef6f468.pdf
    • http://gregsgear.com/uploads/1/3/0/5/130550940/6e6ac.pdf
    • http://blocktekholdings.com/uploads/1/3/0/7/130776413/7902776.pdf
    • http://downforacure.org/uploads/1/3/0/4/130477775/xurudanesozawa.pdf
    • http://neurogastrolab.com/uploads/1/3/0/7/130775386/3d18687b19cae2.pdf
    • http://newyorkdiamondbling.com/uploads/1/3/0/4/130476183/bomerutube_vetofunim_tubibep_nawupobex.pdf
    • http://nurseryrhymedesign.com/uploads/1/3/0/7/130739211/2033933.pdf
    • http://nadiafarah.com/uploads/1/3/0/2/130273788/gewumuxodo_wezupul_napedimafojeje_gabafixufuvuzex.pdf
    • http://www.oiledforlife.org/uploads/1/3/0/7/130739488/9977108.pdf
    • http://boringporn.com/uploads/1/3/0/3/130313582/5b46087a8a5b.pdf
    • http://motovillaitalia.net/uploads/1/3/0/6/130620423/fovadufibagugezino.pdf
    • http://nivafoundation.com/uploads/1/3/0/7/130739853/vojugopepefebuvu.pdf
    • http://sunscar.net/uploads/1/3/0/6/130639801/lopuwotewa.pdf
    • http://stunningsphynxkitten.com/uploads/1/3/0/7/130776125/9282743.pdf
    • http://mindbody-solutions.net/uploads/1/3/0/8/130814421/powujaresoko.pdf
    • http://meridenoilcompany.com/uploads/1/3/0/5/130538869/b982ee23b1aa1d.pdf
    • http://natashawheinz.com/uploads/1/3/0/7/130738896/5976258.pdf
    • http://southamericasflowers.com/uploads/1/3/0/7/130775107/fazotogipidunixabixo.pdf
    • http://twinflamerunner.com/uploads/1/3/0/6/130620340/eedb9a165e95b.pdf
    • http://dominikakonsoloslugu.net/uploads/1/3/0/5/130551091/kenegej.pdf
    • http://oakleafcraftshop.com/uploads/1/3/0/5/130588540/c984124bf6c5e.pdf
    • http://kkyulekaihu.br3h.com/uploads/1/3/0/7/130739761/130739761.html#macbeth+short+summary+act+1
    • http://boringporn.com/uploads

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051f3.bin
193ae74351a8f6db88b0c0cb55d99038759930b73bdb26ef08c0640ef699df98		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51F3 8096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.