Malicious PDF — malware analysis report

Static analysis result for SHA-256 a5a37036dff90754…

MALICIOUS

PDF

58.1 KB Authoring application: QPDF
MD5: 0947c989d19cc6650ae48631b1b6e1fa SHA-1: f8bcde34e95c3d30c11f71f71407adc8ee49c25e SHA-256: a5a37036dff907541d13986001031d9167460bc0ba658d6d60a7264d46ffc394
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical alert for a link farm and ClamAV detection as phishing malware. The embedded content contains a large number of external URLs, suggesting a phishing or SEO spam campaign. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ncmetalbuildingsdirect.com/uploads/1/3/0/5/130588433/domoxaxitoroju_wabonusut_kigenavefipepef_pizetebew.pdf
    • http://jzia.com/uploads/1/3/0/5/130544591/bepetunug_xonofisexodu_fovibupamana_fenaneba.pdf
    • http://andreaforgood.org/uploads/1/3/0/5/130588727/5224725.pdf
    • http://bremenfamilymartialarts.com/uploads/1/3/0/4/130483690/2800167.pdf
    • http://healthypins365.club/uploads/1/3/0/3/130323967/wexixipakumibe.pdf
    • http://philjeremypersonaltraining.com/uploads/1/3/0/3/130313378/bajuk.pdf
    • http://damselfly.org/uploads/1/3/0/5/130551164/fadila-mevixi-kopenulixeso.pdf
    • http://netdevl.com/uploads/1/3/0/7/130775868/miwibamaxepar.pdf
    • http://narkologicheskaja-klinika-saratov.ru/uploads/2020/01/27/nunof.pdf
    • http://dfm-tickets.com/uploads/1/3/0/5/130539341/pajuvofekoloje.pdf
    • http://bodyworkbybarb.com/uploads/1/3/0/7/130776821/130776821.html#cosmic+ray+spectrum

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000134d.bin
2bcfba05d7848a5718f032ed124acde85119b79c42158742410e19fde3375662		 pdf-font-stream PDF embedded font (sfnt) at offset 0x134D 8876 bytes
font_01_sfnt_off0000a8c8.bin
e2a609504f31aba74360c8f97aead3d8f97c76e888a653261413c8bef59e3205		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA8C8 2884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.