Malicious PDF — malware analysis report

Static analysis result for SHA-256 b8c8441de2efcb9a…

MALICIOUS

PDF

33.7 KB Authoring application: pstoedit
MD5: 11ca0f8acb6be87124172b8a95fe7913 SHA-1: 67204c567f5dec5c9e5a201639db9ea928d76cd3 SHA-256: b8c8441de2efcb9a90930c610ce7c95ee736173543575fe6be19e1ab59f79cd1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various external domains. This suggests a phishing or content-luring campaign. The ClamAV detection and ML classifier further support its malicious nature. The document body contains text related to a video game review, likely a lure to disguise the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nudevember.org/uploads/1/3/0/7/130738876/2802642.pdf
    • http://shaydanielleesthetics.com/uploads/1/3/0/2/130271097/073d9f6d.pdf
    • http://alohawraps.co/uploads/1/3/0/8/130813381/9c8298bcae0ce4.pdf
    • http://boshuster.com/uploads/1/3/0/8/130873771/1783ba1b.pdf
    • http://peelerapp.com/uploads/1/3/0/5/130588492/25504a2c684735a.pdf
    • http://jennyphotos.net/uploads/1/3/0/3/130313037/3d9b3f19bbb.pdf
    • http://tripbuys.com/uploads/1/3/0/5/130551210/8418868.pdf
    • http://aprollers.com/uploads/1/3/0/2/130270743/3e035d743748.pdf
    • http://pcstanks.com/uploads/1/3/0/6/130604109/vigegesetitikiz_monerut.pdf
    • http://catrapsheet.com/uploads/1/3/0/5/130551182/73e72.pdf
    • http://zbfit.online/uploads/1/3/0/5/130540211/zolulapelopa.pdf
    • http://74-123-73-96.mgwnet.com/uploads/1/3/0/4/130435546/130435546.html#warhammer+40k+inquisitor+martyr+ign+review

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f57.bin
dd9a82d9ab528810b1bb208b16e3a9cfc13dd25165f8ee7a30ccdd71dd742351		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F57 7080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.