Malicious PDF — malware analysis report

Static analysis result for SHA-256 acbfb59ae1a05629…

MALICIOUS

PDF

34.9 KB Authoring application: Adobe PDF Library 9.0
MD5: 047906f3317d4ba8f95dd160a99e19b4 SHA-1: aa23470a649a59116950de624b5f54d8d9591ce8 SHA-256: acbfb59ae1a056298df414a85c0d95832ef7165492890ac632599b5ddb28c254
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. It contains a large number of embedded URLs pointing to external PDF files, indicating a link farm designed to redirect users. The primary heuristic, PDF_SEO_LINK_FARM, confirms the presence of 16 such links, with the first identified URL being http://michaelericksonteach.com/uploads/1/3/0/7/130738619/1cd1e687b8.pdf. The document body contains garbled text and some English phrases related to comparative adjectives, which appears to be a lure to disguise the malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michaelericksonteach.com/uploads/1/3/0/7/130738619/1cd1e687b8.pdf
    • http://www.kenjaiphotography.com/uploads/1/3/0/6/130603810/japimamerob.pdf
    • http://nimehime.com/uploads/1/3/0/6/130620172/jegupilokuro.pdf
    • http://chasahhospitality.com/uploads/1/3/0/6/130639641/89ab318b41935.pdf
    • http://www.artscapelebanon.org/uploads/1/3/0/7/130739377/nuduju_taxolax_sivumokiso.pdf
    • http://barebeautypdx.com/uploads/1/3/0/2/130291539/527426.pdf
    • http://mail.commerciallockandsafe.com/uploads/1/3/0/6/130604416/xebosadopivolimexuso.pdf
    • http://www.cakesbykim.co.uk/uploads/1/3/0/8/130814178/vikezibewinu.pdf
    • http://pruittconsulting.org/uploads/1/3/0/6/130621068/duweraj.pdf
    • http://risenlamb.com/uploads/1/3/0/6/130639552/87a41ea.pdf
    • http://holypostapp.org/uploads/1/3/0/6/130604168/3093752.pdf
    • http://forestacresmusicschool.org/uploads/1/3/0/4/130488241/0aec01d7fa4e7a3.pdf
    • http://synod-sl.info/uploads/1/3/0/7/130775701/xerogefulaxugibe.pdf
    • http://psychedelicsmadnessawakening.com/uploads/1/3/0/6/130605119/7153594.pdf
    • http://dollarstopparty.com/uploads/1/3/0/7/130776541/julasopa.pdf
    • http://www.koishika.com/uploads/1/3/0/3/130313524/1069563.pdf
    • http://x0065289xstreamtravel.xsideas.com/uploads/1/3/0/3/130313638/130313638.html#ejercicios+de+adjetivos+comparativos+en+ingles

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002c96.bin
d5f86279cb2f535fee0d6665b5e78740991ed83f60be538a0a96c4f6ae91bdc2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2C96 8476 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.