Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8094a2a0c5a495d…

MALICIOUS

PDF

36.9 KB Authoring application: Soda PDF
MD5: 16eaf8fd1d33373c2e749e1092ed63f8 SHA-1: cd4cd5488127512566f972ba9dbcf2387f5484ca SHA-256: b8094a2a0c5a495de78561b929ebe418aae5e990a614fc35aa714dd4bdb5003b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file exhibits characteristics of a link farm, with a large number of embedded URLs pointing to external PDF documents. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or SEO manipulation. No scripts were extracted, but the sheer volume of external links suggests a coordinated effort to distribute or redirect to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webmail.aptwy.com/uploads/1/3/0/7/130775384/8413324.pdf
    • http://memoirsofatechnocrat.com/uploads/1/3/0/4/130478831/wipejigo-mixotavu-rovodesosupotuz-joxujaxepanato.pdf
    • http://northwestpetsupplies.com/uploads/1/3/0/2/130273915/vemoxawozo-vanalebeno-fozumutitomikag-zomifidevide.pdf
    • http://nurabellus.com/uploads/1/3/0/3/130379311/1f21c.pdf
    • http://thehealingcommunityla.com/uploads/1/3/0/8/130813269/lavudexotagebufawi.pdf
    • http://northwestpetsupplies.com/uploads/1/3/0/3/130323552/69b91b102865c.pdf
    • http://omaiorlegado.com/uploads/1/3/0/4/130483277/jikifebavuzokex.pdf
    • http://mail.marijkecoghe.be/uploads/1/3/0/5/130588956/zivigufapu_juvazotorede_dukajuzogip_wekawovevako.pdf
    • http://www.epicprosauto.com/uploads/1/3/0/6/130639418/wodaw-webivofigoxaxa.pdf
    • http://melscripting.net/uploads/1/3/0/4/130488163/8470425.pdf
    • http://allroundtreeservice.com/uploads/1/3/0/5/130590367/folomopigojum.pdf
    • http://scriptwriterscene.com/uploads/1/3/0/7/130739686/kamikanivuzivut.pdf
    • http://www.dummydiets.com/uploads/1/3/0/7/130775867/ninit.pdf
    • http://bank-nhantienquocte.online/uploads/1/3/0/4/130483542/jajiwotewejewoz.pdf
    • http://stepbucks.com/uploads/1/3/0/7/130739917/5049083.pdf
    • http://lindseymarina.com/uploads/1/3/0/6/130639658/guvepuxevel.pdf
    • http://befittofuntion.com/uploads/1/3/0/5/130588899/fc7be1c7.pdf
    • http://summitcapitalco.com/uploads/1/3/0/4/130436313/zoxujosufupur.pdf
    • http://foundermachine.org/uploads/1/3/0/5/130539987/tajivilisikeje.pdf
    • http://proarbtreeservices.com.au/uploads/1/3/0/7/130776594/fujugibujomajudise.pdf
    • http://indigentweb.com/uploads/1/3/0/4/130436202/lejovujinazit.pdf
    • http://mcafeedesignusa.com/uploads/1/3/0/5/130551342/kuzadefeveni.pdf
    • http://0r8pu.salon225.com/uploads/1/3/0/5/130548039/130548039.html#questions+on+algebraic+expressions+and+identities+for+class+8
    • http://scriptwriterscene.com/uploads/1/3/0/7/1307396

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f2c.bin
74ec1362bdceffdf33010aacb6df8883a32e24cfd476beae779a3220ef7f85cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F2C 7644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.