Malicious PDF — malware analysis report

Static analysis result for SHA-256 95c2dca8ede81ed5…

MALICIOUS

PDF

42.1 KB Authoring application: QPDF
MD5: cb73e3de504c3545ae37877f4b0682b0 SHA-1: 0b7324357068fba31868671a034dd0451f5bd2f7 SHA-256: 95c2dca8ede81ed5573582154bf387854465e0e86437907bb89eb382c7980217
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection for 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The presence of a large number of external links, predominantly hosted on unrelated domains with numeric or generic slugs, strongly suggests a phishing or malware distribution campaign. The document body is heavily obfuscated and unreadable, providing no further context.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stephanieendean.com/uploads/1/3/0/6/130620389/7847146.pdf
    • http://pulsewx.com/uploads/1/3/0/5/130542866/8147719.pdf
    • http://bringontheagame.com/uploads/1/3/0/2/130273626/7456318.pdf
    • http://helpmedomore.com/uploads/1/3/0/3/130324137/6d30c748c6e.pdf
    • http://www.taquerialapaz.com/uploads/1/3/0/4/130476501/tejov.pdf
    • http://thelaunch.team/uploads/1/3/0/5/130543784/weguwudamexit.pdf
    • http://michelyngjurasic.com/uploads/1/3/0/3/130324137/52515a8332c.pdf
    • http://doctorfieser.com/uploads/1/3/0/6/130605426/367c228e0c.pdf
    • http://studio.dayafoundation.org/uploads/1/3/0/5/130539886/jewujiwofovazu-jiras.pdf
    • http://onshoresurfshops.com/uploads/1/3/0/2/130273752/pilufes.pdf
    • http://emilytiberio.com/uploads/1/3/0/4/130476981/9639703.pdf
    • http://desatascosbarcelona.org/uploads/1/3/0/5/130544734/ba5721e7c8e49e.pdf
    • http://chichomeinterior.com/uploads/1/3/0/5/130545633/df4471.pdf
    • http://motonorm.com/uploads/1/3/0/6/130621812/351ae4681b508d5.pdf
    • http://rapidpermitreviewhawaii.com/uploads/1/3/0/4/130478975/130478975.html#clinical+features+of+obstetric+brachial+plexus+palsy

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003e6f.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E6F 2600 bytes
font_01_sfnt_off00004a2a.bin
be20506c563342b3ded9823a39daae80273ad84cea50adc47202ccaad42f7b30		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4A2A 8248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.