Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd0d628c600fc842…

MALICIOUS

PDF

39.8 KB Authoring application: SWFTools
MD5: ae6ab4f3d4e1443194c112f01a40e457 SHA-1: c70b8e75be24075b0bbf4902fccc20d6a6d5509b SHA-256: bd0d628c600fc84231b5539188adcbc21d58b27f4bf95bbdecc04cecb8e29c20
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and a machine learning classifier, indicating malicious intent. The embedded content and extracted URLs reveal a link farm strategy, directing users to numerous external PDF files. This pattern is often used to distribute malware or engage in phishing campaigns. No scripts were extracted from this sample, but the sheer volume of linked PDFs suggests a coordinated effort to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://drfinkhobart.com/uploads/1/3/0/6/130620379/762d212193eb65.pdf
    • http://lap.swealth.net/uploads/2020/01/28/2526975.pdf
    • http://athometutoringperth.com/uploads/1/3/0/4/130483626/lasisex-xositiroj.pdf
    • http://lanzarote-immobilien.info/uploads/1/3/0/2/130272283/c789f11f46.pdf
    • http://roosterpr.agency/uploads/1/3/0/5/130550768/vemadizisubuzob_pivilogitonam_dezij.pdf
    • http://naturecalling.us/uploads/1/3/0/2/130287513/tenedujadelidamax.pdf
    • http://mosholudaycamp.com/uploads/1/3/0/2/130270768/xelej.pdf
    • http://mohannadgharaibeh.com/uploads/1/3/0/5/130588307/0456ab.pdf
    • http://solidinvestmentgroupbvba.com/uploads/1/3/0/5/130551876/wewisu-josuzunub-wewur-govudejo.pdf
    • http://greyghosttac.com/uploads/1/3/0/6/130620778/wuxuzorabejip_ropuj.pdf
    • http://mgtavconference.com/uploads/1/3/0/3/130323250/0210a6.pdf
    • http://crystalroseco.com/uploads/1/3/0/4/130483494/effa35a.pdf
    • http://nursingarmpillow.com/uploads/1/3/0/2/130288565/130288565.html#sketchup+deneme+s%C3%BCr%C3%BCm%C3%BC

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000151a.bin
2dd513bbfc360b980cbe109aa66fc8741117f3d726bbab03ae483bb05123ad83		 pdf-font-stream PDF embedded font (sfnt) at offset 0x151A 9836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.