Malicious PDF — malware analysis report

Static analysis result for SHA-256 b98d40708c890cbe…

MALICIOUS

PDF

43.0 KB Authoring application: pstoedit
MD5: 1a61ef38330d7a3fb81815f6098688f0 SHA-1: 22e11580e2be1153b2f655cc18dfedde1b63dadb SHA-256: b98d40708c890cbe559fbae76a4326c822b41d7e14f63df8592c97b753f35f86
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, a technique commonly used for SEO spam or to redirect users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URL heuristic confirms the presence of numerous external links, with the dominant host being flywithmegandry.com. The document body text is heavily obfuscated and appears to be metadata related to PDF conversion rather than user-facing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://flywithmegandry.com/uploads/1/3/0/5/130589264/1396924.pdf
    • http://sparklyhealthandlove.com/uploads/1/3/0/2/130270982/3112020.pdf
    • http://johntejada.net/uploads/1/3/0/5/130588394/9ac82f.pdf
    • http://medder.store/uploads/1/3/0/4/130476242/zedodizuvoranij_vadugobosefona.pdf
    • http://freakbooth.com/uploads/1/3/0/6/130621839/7265ff1b2111.pdf
    • http://adelona.com/uploads/1/3/0/6/130604388/zosopatexop.pdf
    • http://mohazine.com/uploads/1/3/0/5/130590413/4570457.pdf
    • http://marchalong.com/uploads/1/3/0/4/130488964/jixofa-kosoposixo-lazuput-sinipozox.pdf
    • http://willsmovingtest.club/uploads/1/3/0/5/130551794/6504899.pdf
    • http://onestopcatering.net/uploads/1/3/0/6/130620435/gutiboxuke-xoxopiwiko-jejexikawi-sazovibanu.pdf
    • http://plumbersupplies.net/uploads/1/3/0/7/130738984/sadasakipelexexam.pdf
    • http://bodyspiritfood.com/uploads/1/3/0/7/130740514/2054172193a1d.pdf
    • http://nicholascomm.com/uploads/1/3/0/6/130604793/xogukoduka.pdf
    • http://baileyjohall.com/uploads/1/3/0/5/130590656/7596f60432.pdf
    • http://niacurriculum.com/uploads/1/3/0/5/130545895/a032b72910728e.pdf
    • http://threadsolelife.com/uploads/1/3/0/5/130542852/1132499.pdf
    • http://mountain-plumbing.com/uploads/1/3/0/5/130551536/pisopovolife.pdf
    • http://onboardxpress.com/uploads/1/3/0/5/130542775/lufivirixusem.pdf
    • http://www.dyslexiaonlongislandny.org/uploads/1/3/0/4/130435524/dovijoravaxefedi.pdf
    • http://acomputerconsultant.com/uploads/1/3/0/5/130539093/sizasawase-bekojafon-piwiwaxag-xidebizuwivatav.pdf
    • http://www.homesteadingknowledge.com/uploads/1/3/0/7/130740054/sigatesonugadigaw.pdf
    • http://helpking.org/uploads/1/3/0/5/130589048/130589048.html#html+to+pdf+converter+code+in+javascript
    • http://flywithmegandry.com/uploads/1/3/0/5/130589264/1396924.pd

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d3d.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D3D 16204 bytes
font_01_sfnt_off00004568.bin
082c74872311721d2659e7bf5c3c109d61792abc8f4bc362b2671b31cc8b6a33		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4568 8488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.