Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad30dc49b9bfd374…

MALICIOUS

PDF

33.2 KB Authoring application: PDFedit
MD5: 1f6eebd0c07da3692c42b66471f1ba1d SHA-1: 7c76194b7c1bf175ad398b16c310f6ead72464c0 SHA-256: ad30dc49b9bfd37464f406d8daae3ab43adac86e5bad9cd33346d44559ed448f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The critical PDF_SEO_LINK_FARM heuristic fired due to the presence of 23 embedded external PDF links, suggesting a link farm or phishing campaign. The document body contains a large number of these URLs, which are likely used to redirect users to malicious content or facilitate SEO poisoning.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://realmconsultingnw.com/uploads/1/3/0/4/130494743/bariwozuw.pdf
    • http://nakedtrackdays.net/uploads/1/3/0/5/130588845/b51c50.pdf
    • http://kateabington.com/uploads/1/3/0/5/130590661/432173.pdf
    • http://bigfootpipelinemarketing.com/uploads/1/3/0/4/130478210/fed0244d3.pdf
    • http://naturesblissjamaica.com/uploads/1/3/0/7/130739020/ed0c62c9575f3ea.pdf
    • http://www.shaishriki.com/uploads/1/3/0/5/130543462/6639509.pdf
    • http://misskatskinks.com/uploads/1/3/0/4/130475982/foworadejibezi.pdf
    • http://autoconfig.pflaghouston.org/uploads/1/3/0/6/130603747/tifigipelawipu.pdf
    • http://jamaicalandoffilm.com/uploads/1/3/0/6/130639790/sadogefedajobutukigi.pdf
    • http://changinglivesproject.com/uploads/1/3/0/4/130483515/tawavid.pdf
    • http://core-systems.nl/uploads/1/3/0/5/130538918/b96db790e31cfc5.pdf
    • http://erxin.org/uploads/1/3/0/5/130547150/7053864.pdf
    • http://www.celineoutletstore.dadgifts.us/uploads/1/3/0/4/130488829/sasoxikarajosepe.pdf
    • http://drvdv.com/uploads/1/3/0/6/130621394/5880342.pdf
    • http://yahonlytimes.com/uploads/1/3/0/8/130813461/pamamusedaduv_tijigimigodoj.pdf
    • http://www.mycpstory.com/uploads/1/3/0/2/130271047/157b277b3943.pdf
    • http://captaingstring.com/uploads/1/3/0/5/130547486/dafipufob.pdf
    • http://wea-linton.com/uploads/1/3/0/4/130475973/d11782.pdf
    • http://valpattersonsings.com/uploads/1/3/0/5/130538939/dowusa.pdf
    • http://pocketfriendlyonline.com/uploads/1/3/0/7/130739167/ratozuko-gubawupala.pdf
    • http://precisionfertilizerspreading.com/uploads/1/3/0/5/130552043/mefevuvibi.pdf
    • http://insidemiddleburyvermont.com/uploads/1/3/0/2/130271145/dupivo.pdf
    • http://marketresiliency.com/uploads/1/3/0/5/130588659/3107159.pdf
    • http://mta-sts.mx.paulmetcalf.net/uploads/1/3/0/6/130604740/130604740.html#vhdl+code+for+4+bit+ripple+carry+adder+using+behavioral+model

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002106.bin
46d2360968d0296e4349ab36e605895ed5c3ce0b5576071ac0461aec002d455e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2106 7144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.