Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0f211de2c1aa62c…

MALICIOUS

PDF

42.4 KB Authoring application: GIMP
MD5: c909efca38cde80299697010b220186a SHA-1: f3efa308883fcc8ca12dc77134200903f0a2b8b9 SHA-256: a0f211de2c1aa62c205c8b92b27ce3ad219030eb33a0c366ff9518fe27da80dc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The primary attack pattern observed is a link farm, directing users to numerous external PDF files. The embedded URLs suggest a phishing or content distribution campaign, potentially for SEO manipulation or malware delivery. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://niralidevgan.com/uploads/1/3/0/2/130291783/8027c311b.pdf
    • http://mew3mew.studio/uploads/1/3/0/5/130588220/3234188.pdf
    • http://rusibivuj.vipiski-besplatno19.icu/uploads/2020/01/28/3373995.pdf
    • http://radioevasi.com/uploads/1/3/0/6/130621809/4474218.pdf
    • http://midatlanticbowl.com/uploads/1/3/0/4/130483868/fakanego-bokufimanazudew.pdf
    • http://subordominant.com/uploads/1/3/0/4/130483981/5529757.pdf
    • http://thoughtjotsmemobooks.com/uploads/1/3/0/5/130590467/1398305.pdf
    • https://kukefokojuf.weebly.com/uploads/1/3/0/5/130590475/95002.pdf
    • http://midwesthomebuilding.com/uploads/1/3/0/6/130620478/b226045ba6c.pdf
    • http://fezosepig.roo1gai.ru/uploads/2020/01/29/57a085e.pdf
    • http://astarboards.com/uploads/1/3/0/3/130313191/ae925.pdf
    • http://postalmx.com/uploads/1/3/0/2/130270867/38606.pdf
    • http://automaticpocketdoor.com/uploads/1/3/0/4/130488544/55d090.pdf
    • http://wez.diba-konto.com/uploads/2020/01/28/fimufesekiko.pdf
    • http://vub.cafemostik.com/uploads/2020/01/28/6079943.pdf
    • http://livingmetroeast.com/uploads/1/3/0/6/130603930/jumowataj_gesenarib_kireroxuxuvo.pdf
    • http://mrncleaningservicescom.com/uploads/1/3/0/2/130291579/jiseno_fupegenoz_kilinumu.pdf
    • http://a-aon.com/uploads/1/3/0/6/130621412/6799301.pdf
    • http://aispng.org/uploads/1/3/0/3/130323184/b71f65b14e.pdf
    • http://mychampionlifechurch.com/uploads/1/3/0/2/130287527/sijir-bafipotof-zorofowore.pdf
    • http://pjclakes.com/uploads/1/3/0/5/130588656/da7ba0481.pdf
    • http://maggieakins.com/uploads/1/3/0/5/130550966/2f6a2015.pdf
    • http://nicolettabuildingcontractors.com/uploads/1/3/0/4/130435947/zubazelozifudekasomi.pdf
    • http://taxkill.com/uploads/1/3/0/3/130323674/zekarapapoloti.pdf
    • http://thesingbabysingshow.com/uploads/1/3/0/4/130489361/130489361.html#use+of+articles+in+english+grammar++worksheet
    • http://nicolettabuildingcontractors.com/uploads/1/3/0/4/1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000170f.bin
06ca1411d7fe4a0c1c1016cabc7b58d0a94fa6a04d37e1802accdcf79bf2fdf7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x170F 8064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.