Malicious PDF — malware analysis report

Static analysis result for SHA-256 a86cfd6d41236d65…

MALICIOUS

PDF

36.0 KB Authoring application: Soda PDF
MD5: fcb933fd5e5affb3cb34cba354125817 SHA-1: 1ec54fd4ccbdc392c0e1f05964b9df24bfaabf90 SHA-256: a86cfd6d41236d6526d76b2468f253546393d94468243c6c02f84d52179e0125
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier. The critical heuristic PDF_SEO_LINK_FARM indicates the presence of a large number of external PDF links, with the first observed URL being http://mscbmx.com/uploads/1/3/0/4/130483207/4041295.pdf. This suggests the document's primary purpose is to redirect users to a network of linked PDFs, likely for SEO spam or to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mscbmx.com/uploads/1/3/0/4/130483207/4041295.pdf
    • http://azzurrawebart.com/uploads/1/3/0/7/130739043/6635143a4.pdf
    • http://projectrealestateagent.net/uploads/1/3/0/3/130323707/8404530.pdf
    • http://midnightepiphanyband.net/uploads/1/3/0/3/130313316/nesozibito-tunupogenuma-sefumufol.pdf
    • http://smallupsimpledown.com/uploads/1/3/0/3/130379104/bojejepowelusig-kulizav.pdf
    • http://catamaranadastra.com/uploads/1/3/0/7/130739472/902056.pdf
    • http://colorists.directory/uploads/1/3/0/5/130588676/bovaroduson.pdf
    • http://drbrettagrant.com/uploads/1/3/0/5/130551050/6e0484b120b.pdf
    • http://trambling.com/uploads/1/3/0/8/130813054/6fbb2cfe9a8.pdf
    • http://hostmaster.inkfishltd.co.uk/uploads/1/3/0/6/130620334/fcea7ff1a5bed.pdf
    • http://cdn.visualpatterns.org/uploads/1/3/0/5/130588574/nalojikexakeri.pdf
    • http://silktailor.ca/uploads/1/3/0/6/130639600/66b3154d8534a.pdf
    • http://morganelwell.net/uploads/1/3/0/6/130639337/3554643.pdf
    • http://arise73.pleasingfood.com/uploads/1/3/0/4/130436224/130436224.html#catia+datei+als+3d+pdf+speichern

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031c6.bin
564aa3cc26ac7a7d54dcaad3af738d1de59e0d0fd83379779f25cd78375f3a96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31C6 9180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.