Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e632d14666e4198…

MALICIOUS

PDF

59.1 KB Authoring application: pstoedit
MD5: e133c8cffc8192c1b43848ce2901255a SHA-1: 78f2f95cffa11a4fd8c5384a5fbcd36f19519005 SHA-256: 9e632d14666e4198ed9280bdaad9a3d16afb9dd261ca3f950a1405861fb04edf
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic fired, identifying a large number of external links, predominantly hosted on `linda-bellydancer.com`. This suggests the document is likely part of a phishing or SEO poisoning campaign, aiming to redirect users to malicious sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://linda-bellydancer.com/uploads/1/3/0/5/130539455/58f7f44655.pdf
    • http://c5events.ca/uploads/1/3/0/6/130621114/tinemafopinad.pdf
    • http://babuni.ca/uploads/1/3/0/2/130271137/navutitot-zamanodoliwu-vijujuzexi.pdf
    • http://mhsptsa.org/uploads/1/3/0/5/130550898/2555886.pdf
    • http://jalipelux.domgleden-nn.icu/uploads/2020/01/27/xazajebomus.pdf
    • http://gor.feierverkspb.ru/uploads/2020/01/27/paxenopako.pdf
    • https://pujirefevaga.weebly.com/uploads/1/3/0/4/130476970/889ecb5ac1e.pdf
    • http://computercleaningservicesinc.com/uploads/1/3/0/4/130436121/wuxamol.pdf
    • http://rbminterests.com/uploads/1/3/0/5/130589312/vebawoxu-sexofi-monaxofu-dofovosinaf.pdf
    • http://rhjerkyoutlet.com/uploads/1/3/0/6/130639173/palisuvegevebe-supom-jugonidosobewom.pdf
    • http://customer-day.azzure-it.com/uploads/1/3/0/5/130544226/roturilipetosa-mizevujiponafos-fusazojaxuvuru.pdf
    • https://nekuduvukolegad.weebly.com/uploads/1/3/0/3/130323934/870818c2fdf290.pdf
    • https://mojijaxo.weebly.com/uploads/1/3/0/3/130323559/mamilonezexugow.pdf
    • http://cornucopia-vintage.com/uploads/1/3/0/5/130545128/ab3979b.pdf
    • http://xirezomo.kupim24.com/uploads/2020/01/29/xuzonewufu.pdf
    • http://mobilisaction05.weebly.com/uploads/1/3/0/4/130488749/raresegukidefa.pdf
    • http://agingwell360.com/uploads/1/3/0/4/130435598/zopafarerewis.pdf
    • http://tuknikgs.com/uploads/1/3/0/6/130620547/kinunimatodubip-lepararoge.pdf
    • http://hello-baby-toys.com/uploads/1/3/0/6/130639500/130639500.html#sql+server+formatting+standards
    • http://tuknikgs.com/uploads/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001694.bin
2f6970e09a04b68f136942432b841dfc655c86c2f3c7195f108b68527c25028d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1694 8892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.