Malicious PDF — malware analysis report

Static analysis result for SHA-256 b99a4fd616905b09…

MALICIOUS

PDF

34.2 KB Authoring application: Smallpdf Desktop
MD5: cae8075b8297d0320e9738be078e6836 SHA-1: 9b280654c4b8e8e37c0eb7c283620e9d275d8e9b SHA-256: b99a4fd616905b09d321ec129246f141eb67118ab774b14f414c534e78bba5fd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. This suggests a phishing or SEO manipulation tactic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to traffic redirection or phishing. No scripts were extracted, and the document body contained mostly obfuscated or irrelevant text, but the presence of numerous links points to a delivery mechanism for malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://alyssamariemovementaddict.com/uploads/1/3/0/5/130539295/fanodometi-xefovabobejuk-gewapadobejij-vekovilufitadam.pdf
    • http://wordstogiveby.com/uploads/1/3/0/3/130379681/faliwedukupu.pdf
    • http://rawly.net/uploads/1/3/0/4/130435611/4988174.pdf
    • http://northstarholistic.com/uploads/1/3/0/8/130814868/d6196fff97e.pdf
    • http://elrinteriors.com/uploads/1/3/0/3/130379162/vakuvele.pdf
    • http://bestfriendguidetoeverything.com/uploads/1/3/0/3/130379143/zexujumelob.pdf
    • http://nancytoofani.com/uploads/1/3/0/6/130621918/7222065.pdf
    • http://www.steinerhairsalonct.com/uploads/1/3/0/6/130639423/wusokajuf-jemesofuf.pdf
    • http://tap-folio.com/uploads/1/3/0/5/130539016/6b30f47de.pdf
    • http://www.ericniederman.com/uploads/1/3/0/9/130969148/mafux.pdf
    • http://suitestravel.voyagerwebsites.com/uploads/1/3/0/4/130483230/130483230.html#hipaa+authorization+to+release+medical+information+form+georgia

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003120.bin
de776db8f1397a535d85b1212d61f2eed17dca48a58bd7f652e2355ec757d5df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3120 7292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.