Malicious PDF — malware analysis report

Static analysis result for SHA-256 b80599ca530ec512…

MALICIOUS

PDF

42.8 KB Authoring application: QPDF
MD5: ea97eb967a1ebc20d8404eacbf1d1e7b SHA-1: cd27ae439ff080fd08a3482039f76aff0eb4fa47 SHA-256: b80599ca530ec512a63c969f80f600294c37fa74036848209fef83d4fd0e95b3
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files on various domains, indicating a link farm designed for SEO manipulation or phishing. The ClamAV detection and ML classifier strongly suggest malicious intent, likely related to phishing or malware distribution. The embedded text, though partially corrupted, mentions 'colouring pages for halloween free printable', which is used as a lure to encourage users to click the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://visitoz.org/uploads/1/3/0/6/130639199/puguwutevevage_lobiwomolenajof.pdf
    • http://soundnotion.tv/uploads/1/3/0/6/130604074/8405928.pdf
    • http://bohllogistics.com/uploads/1/3/0/4/130491356/ac72710.pdf
    • http://powerdigmenergysolutions.net/uploads/1/3/0/6/130603710/4d79afc4dc670ad.pdf
    • http://resources.zapter.io/uploads/1/3/0/6/130639653/8100640.pdf
    • http://michaeljamesvocals.com/uploads/1/3/0/3/130313144/8766740.pdf
    • http://redraiderdelivery.com/uploads/1/3/0/7/130738614/fetokesomabipapubib.pdf
    • http://rowanprssa.com/uploads/1/3/0/5/130588206/4366412.pdf
    • http://powerlazer.party/uploads/1/3/0/5/130540281/posej.pdf
    • http://relianceauto.org/uploads/1/3/0/6/130639628/fowalakugar-kogewajipopa.pdf
    • http://aldensuites.devsite-1.com/uploads/1/3/0/8/130815080/130815080.html#colouring+pages+for+halloween+free+printable

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005186.bin
14fdc0869ebbd4b5dd557727f3441eae0224ddd15124391840398a3e65992042		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5186 8064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.