Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b31d6044f2e3ff9…

MALICIOUS

PDF

47.5 KB Authoring application: Serif PagePlus
MD5: cfb0f629686849116b1aca34088edc72 SHA-1: 46148f9b4f14e102231a3ef14860d7513ae79928 SHA-256: 9b31d6044f2e3ff948569cb2aef6240801ac0ea78b599b5f5571f7b5da0cad8a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded links to other PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution via these linked documents. No scripts were extracted, and the document body was heavily obfuscated and truncated, preventing a more detailed analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pawz4acause.com/uploads/1/3/0/5/130550762/rivuk-poxesiv-zenanurozu-godubig.pdf
    • http://dalestravel.info/uploads/1/3/0/4/130476598/tejifubadar-vopawafofire-gubosuxuxif.pdf
    • http://laurendevore.com/uploads/1/3/0/4/130483114/pepupa.pdf
    • http://florentincafe.ru/uploads/2020/01/28/judepunitudufu.pdf
    • http://adaradecor.com/uploads/1/3/0/6/130621384/vawefog_vujix.pdf
    • http://cerritosnotarypublic.com/uploads/1/3/0/5/130543575/7431562.pdf
    • http://mysteriesnghostsefiction.com/uploads/1/3/0/5/130590656/4441728f.pdf
    • http://notoriginal.shop/uploads/1/3/0/2/130272488/gafijesuragexozax.pdf
    • http://alinacruzfengshui.com/uploads/1/3/0/2/130271128/902e44ecfc3892.pdf
    • https://ruvotojizojige.weebly.com/uploads/1/3/0/3/130323210/af75a0c.pdf
    • https://ruruxofuki.weebly.com/uploads/1/3/0/3/130313748/d9514473891.pdf
    • http://seguro-property-management.com/uploads/1/3/0/2/130288507/a88829aa1c21.pdf
    • http://xuj.comparatuapuesta.com/uploads/2020/01/28/tegadusovivato_wimokijid.pdf
    • http://andreanelsonart.com/uploads/1/3/0/6/130620470/6402580.pdf
    • http://thebacqroom.com/uploads/1/3/0/5/130550915/madabefijosuzig.pdf
    • http://thejoyofjob.com/uploads/1/3/0/5/130550879/derevexemupu-lupig-kuxenuwali.pdf
    • http://nutritionwithnoelle.com/uploads/1/3/0/5/130590724/3044737.pdf
    • http://ride-ruse.si/uploads/1/3/0/6/130604708/562556.pdf
    • http://tcsonline.net/uploads/1/3/0/6/130621484/130621484.html#china+online+visa+application+form+cova

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001032.bin
e494a1bdb13d78804fcb525c1732205ffb761a4169797fabe09e788eb827ce6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1032 8008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.