Malicious PDF — malware analysis report

Static analysis result for SHA-256 a3bdb5abc9b4bd98…

MALICIOUS

PDF

35.3 KB Authoring application: Solid Converter PDF
MD5: d087eb651547084e2a3980675a0bed6a SHA-1: 5811b6d871d6b712690375882f8eb968386dc797 SHA-256: a3bdb5abc9b4bd986116d7cf290ecb4d66e87478b2b950d6835de5936d07149e
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links pointing to external PDF files, a technique often used for SEO poisoning or distributing malicious content. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, indicating a phishing or traffic redirection campaign. The document body contains garbled text and a reference to a free download, further supporting a lure-based attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://smallbusinessloanfunding.com/uploads/1/3/0/6/130604919/pazitifes.pdf
    • http://bodega-capricho.com/uploads/1/3/0/4/130475955/2020981.pdf
    • http://lgbaonline.org/uploads/1/3/0/6/130639514/15bdf45.pdf
    • http://serbaballet.com/uploads/1/3/0/5/130539553/5289738.pdf
    • http://kerrycannon.com/uploads/1/3/0/7/130775252/fe323f.pdf
    • http://azseniorresourcesandmore.com/uploads/1/3/0/5/130551019/02018f.pdf
    • http://www.veryreadable.com/uploads/1/3/0/2/130289476/6383401.pdf
    • http://suttoneducationtrust.org/uploads/1/3/0/5/130545818/6113606.pdf
    • http://mistress-death.com/uploads/1/3/0/4/130476091/ziwuvixaboz_xanilukag_namujazowave.pdf
    • http://pattyconnellyphotography.com/uploads/1/3/0/7/130776667/5708ac4.pdf
    • http://ausin.co.nz/uploads/1/3/0/7/130775918/0ae70145fb206fb.pdf
    • http://pwsicecream.com/uploads/1/3/0/4/130488395/5436877.pdf
    • http://snugharborvillagebuckeyelake.com/uploads/1/3/0/8/130874629/sagox-jakaji-nexivexo-lotijopituxo.pdf
    • http://altdavos.club/uploads/1/3/0/6/130620272/gulapunu.pdf
    • http://bctee.com/uploads/1/3/0/6/130604539/6270208.pdf
    • http://wanderlustphotobus.net/uploads/1/3/0/4/130491356/130491356.html#ayat+ruqyah+full+free+download
    • http://mistress-deat

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f93.bin
1b1fa7295e136cab542a307edd3e5c0855115a5d6f5f363ab981a3e4850372eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F93 7812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.