Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0cf702ce2a514b3…

MALICIOUS

PDF

45.2 KB Authoring application: pdf-parser
MD5: 2f9d97cc89a5b54b97779676844899ae SHA-1: 19dbede4aade155cd98d66bae40ecbbf9d1ea7e5 SHA-256: a0cf702ce2a514b3ab4b2deaaebc8dfd2d2189add69f6b40a7f12082f2514493
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The primary heuristic identified a large number of external links, suggesting a link farm designed to redirect users to malicious content. The document body contains many of these URLs, reinforcing the attack pattern. No scripts were extracted, but the sheer volume of outbound links points to a phishing or malware distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cuggolin.xyz/uploads/2020/01/28/05effb64a.pdf
    • http://fop.rcway.ru/uploads/2020/01/28/6928267.pdf
    • https://kiwidabinivazig.weebly.com/uploads/1/3/0/2/130272500/9810603.pdf
    • http://willowtreefarminc.com/uploads/1/3/0/2/130287815/migedowigas.pdf
    • http://vholste.ru/uploads/2020/01/27/3473472.pdf
    • http://jut.veronicaasorey.com/uploads/2020/01/29/guwovaris-nedudes-suzanarakutar-mibojagop.pdf
    • http://pef.utlytesof.pro/uploads/2020/01/27/tavaja-tazukusiwale.pdf
    • http://snugnut.com/uploads/1/3/0/5/130543813/busulodivekupak.pdf
    • https://zulefejojobef.weebly.com/uploads/1/3/0/6/130604575/mifikelujatem_maxujepa.pdf
    • http://krenee.online/uploads/1/3/0/6/130604476/79e9147bb5b4d33.pdf
    • https://filasoxutatogiv.weebly.com/uploads/1/3/0/4/130478163/rubuxeraritisowibul.pdf
    • http://mimiscoffeehouseofhardwick.com/uploads/1/3/0/3/130379083/e619e1fd3c.pdf
    • http://vunisomona.reserve-money.top/uploads/2020/01/29/2040889.pdf
    • http://gege.bpthere.club/uploads/2020/01/28/rofinivavilumava.pdf
    • http://hasanpeays.net/uploads/2020/01/28/7250622.pdf
    • http://egjkl.xyz/uploads/2020/01/27/1185123.pdf
    • http://jlu-boston.org/uploads/1/3/0/3/130379741/8023986.pdf
    • http://havemeyerhomies.com/uploads/1/3/0/6/130620990/kimejiraratomovipetu.pdf
    • http://observationsandconclusions.com/uploads/1/3/0/4/130476539/9b210996393.pdf
    • http://bolivaryrodriguez.com/uploads/1/3/0/4/130476340/kujunumesir.pdf
    • http://pirogisolnce.ru/uploads/2020/01/29/tepuvixowokodof.pdf
    • http://dominguesandkane.com/uploads/1/3/0/5/130590241/130590241.html#trabalho+em+uma+transforma%C3%A7%C3%A3o+isob%C3%A1rica+exercicios+resolvidos

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016e5.bin
ec45646bf3e308d5ffe7c3e953588767aa0f1a9397d552293e40c5605c3e7075		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16E5 10240 bytes
font_01_sfnt_off00006742.bin
1fb19a3e4b4e5f90a7347e6a9024fa5fb50df63c7316208be728a43e6e88f28a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6742 16768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.