Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad5735efa65855e0…

MALICIOUS

PDF

51.6 KB Authoring application: Solid Converter PDF
MD5: 0b3ec19003963ef1a7565bc89af9b09f SHA-1: e572a2f4bb5cc6f6d286716f5d48ee50d1326890 SHA-256: ad5735efa65855e0926daa0d3d717f01b5ac0269ba53b9d6d237054b5ccde42a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. This suggests a coordinated effort to manipulate search engine results or redirect users to malicious content. The ClamAV detection and ML classifier further support its malicious nature, classifying it as phishing-related. No scripts were extracted, but the extensive link farm is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.1stopgen.com/uploads/1/3/0/4/130489604/7655198.pdf
    • http://partabcdeasyas123.com/uploads/1/3/0/6/130620587/bixowenorerager-fajavamojosimi-xoditizojad.pdf
    • http://noahcaseycounselling.com/uploads/1/3/0/2/130289645/nuzunakemo_kivoka_rofazipatuxap.pdf
    • http://bitsbridlesbrambles.com/uploads/1/3/0/5/130589435/2280591.pdf
    • http://thecompanymobilegame.com/uploads/1/3/0/2/130287886/382145.pdf
    • http://www.tatsuminamba.com/uploads/1/3/0/5/130544134/giruzaxesixaxi.pdf
    • http://carlinnguyen.com/uploads/1/3/0/4/130435574/bd789351b804e5d.pdf
    • http://seguraharvesting.com/uploads/1/3/0/5/130590126/725123.pdf
    • http://asburycropfarm.org/uploads/1/3/0/7/130739632/5404006.pdf
    • http://nolaninc.net/uploads/1/3/0/4/130488699/de1ccf265f895eb.pdf
    • http://webdisk.ladse.org/uploads/1/3/0/6/130620642/130620642.html#deadlock+avoidance+in+operating+system+in+hindi

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003f42.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3F42 1388 bytes
font_01_sfnt_off00004917.bin
dbaa4d1cdf76fab09d148f7ca7864968eb3c02a6f6f167a1e778d05a9f29fa89		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4917 14792 bytes
font_02_sfnt_off00007297.bin
75942b73518a2635f8b2a3c7a5f8af0da7c8731e1f806bcbfe73bc3b803fdb0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7297 8500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.