Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae081f935daa8a38…

MALICIOUS

PDF

40.4 KB Authoring application: Pdftk
MD5: f720983af36d8cc2caf8aa005e0aa297 SHA-1: 5f0a414dc4091fe8f304802a825f561ccc3fb656 SHA-256: ae081f935daa8a38b8aee8dd44a311e1552a8be8ad78faf2f4ad91907f4df3cd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The PDF_SEO_LINK_FARM heuristic indicates a large number of external links, with the first identified URL being http://viprealtorclub.com/uploads/1/3/0/5/130588744/sefat.pdf. This suggests the document's primary purpose is to redirect users to potentially malicious content or to engage in SEO spam. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://viprealtorclub.com/uploads/1/3/0/5/130588744/sefat.pdf
    • http://zabrano.co.uk/uploads/1/3/0/5/130590154/tuguxufurum.pdf
    • http://allidphotography.org/uploads/1/3/0/4/130435679/09ba06cedfba74.pdf
    • http://circumchange.ca/uploads/1/3/0/5/130588463/e55e0a9d6d5090.pdf
    • http://freebearproject.org/uploads/1/3/0/4/130489841/baxiboxomibuvixema.pdf
    • http://libertodos.org/uploads/1/3/0/5/130541597/nedam-tatadopuzopisod.pdf
    • http://williamclegg.com/uploads/1/3/0/7/130740627/5972026.pdf
    • http://www.secrettreasuresuk.com/uploads/1/3/0/6/130620881/litozogomu-sozizonebovepog-lisenovejisuwa-rejoj.pdf
    • http://deanvukelicstonemason.com/uploads/1/3/0/5/130540642/5484660.pdf
    • http://ah-reviews.com/uploads/1/3/0/7/130738725/femebijuruzo.pdf
    • http://nevadachallenger.net/uploads/1/3/0/7/130775758/wiwerik.pdf
    • http://joshandaprilbrand.com/uploads/1/3/0/6/130621516/puwafu-jejafufonexo-jasumukawisol-gukefor.pdf
    • http://universitynest.com/uploads/1/3/0/5/130589198/90b6c5762fbea.pdf
    • http://easycompmx.com/uploads/1/3/0/7/130776582/vejulir_dufevonisitavi_nepopoxu_ruzaj.pdf
    • http://arcticethics.org/uploads/1/3/0/8/130873783/zugeguzeforuxidaxa.pdf
    • http://danielstorage.com/uploads/1/3/0/7/130739986/e87dcc.pdf
    • http://cedricbrunelle.com/uploads/1/3/0/7/130775055/a43597638b21.pdf
    • http://lmathletics.org/uploads/1/3/0/5/130550914/zekafoladitajufam.pdf
    • http://smarttravelhelpline.com/uploads/1/3/0/2/130287505/vubizujawiwizerep.pdf
    • http://salonbeauchesnestudio.com/uploads/1/3/0/6/130604805/31649.pdf
    • http://65bancker.com/uploads/1/3/0/8/130874223/130874223.html#susp+typhoid+fever+adalah
    • http://viprealtorclub.com/uploads/1/3/0/5/130588744/se

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003fd5.bin
a636876d2020bd72a325ffe143a05a492feaaca4363d16dc6f7c745f200afef7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3FD5 7452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.