Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bedd5d878f329cd…

MALICIOUS

PDF

55.8 KB Authoring application: Nitro PDF
MD5: 0653767cc36268f95723e2437edff663 SHA-1: 4759e20a2abef2a9902c7ac004ac97dcdfc5aabc SHA-256: 9bedd5d878f329cd7cecb4d832463f655401300e74a692928f811eee0a725bae
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was identified as malicious by ClamAV and an ML classifier. It contains a link farm with multiple embedded URLs, primarily pointing to other PDF files. The heuristic PDF_SEO_LINK_FARM specifically indicates the presence of numerous external PDF links, suggesting a distribution mechanism for further malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nxnaturallife.com/uploads/1/3/0/3/130324236/3c71ad0b72e1.pdf
    • https://ripejobim.weebly.com/uploads/1/3/0/3/130323329/gijokomepozu-rupov-kutuvobur-bilol.pdf
    • http://mus.stellaz-66.ru/uploads/2020/01/28/2996815.pdf
    • http://muskokawaterfrontcottages.ca/uploads/1/3/0/2/130271139/29febc8.pdf
    • http://0206shop01.fun/uploads/2020/01/28/pufatamofenivi.pdf
    • http://bixaluzeb.centrmebliv.com/uploads/2020/01/27/1164037.pdf
    • http://joe-anime.net/uploads/2020/01/28/dofefir.pdf
    • http://fufuva.pokupka-super10.ru/uploads/2020/01/27/zolopirujagekubogatu.pdf
    • http://urfacefix.com/uploads/1/3/0/4/130489131/130489131.html#two+steps+from+hell+dragon+rider+mp3

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000145d.bin
1839fd6f27840667dc028cc10fac17fe8c249f0f477f70ee45db442277fb7a08		 pdf-font-stream PDF embedded font (sfnt) at offset 0x145D 10532 bytes
font_01_sfnt_off00005cc4.bin
eed97e1b58a344067823640c3b000a267a35326a69b2dd803c6534446c2fd37d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CC4 25784 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.