Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0122c7077d865ea…

MALICIOUS

PDF

33.8 KB Authoring application: Smallpdf Desktop
MD5: e98b50d89e8929ee257c798c13881e7d SHA-1: 3ee8d3595dbb6f9b0169723bd69675631fdc18da SHA-256: c0122c7077d865eaf07b4c0ddd08ac31c282e2db2f18acbf3232704bf8d96c65
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or SEO-based redirection. The document body itself is heavily corrupted and unreadable, but the presence of numerous links to external PDF files suggests a coordinated effort to direct users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bygraceweobey.com/uploads/1/3/0/4/130476129/desumepuwa.pdf
    • http://kimibath.com/uploads/1/3/0/5/130590724/tulikajizagenoz_liwupiluvu.pdf
    • http://perceptivecharm.com/uploads/1/3/0/4/130435569/jemenekofofoki.pdf
    • http://swapooexchange.net/uploads/1/3/0/6/130640119/5693950.pdf
    • http://ontrackrti.net/uploads/1/3/0/6/130605278/rexesezadevavif.pdf
    • http://wellspringmassageandbodywork.com/uploads/1/3/0/3/130312952/3183478.pdf
    • http://circoestodo.org/uploads/1/3/0/8/130873843/tusuxuvena.pdf
    • http://nesapublications.com/uploads/1/3/0/5/130538988/lelanedepetezulure.pdf
    • http://interstellarcapital.com/uploads/1/3/0/3/130313106/5878671.pdf
    • http://keyspireducation.com/uploads/1/3/0/8/130813604/dijojafu.pdf
    • http://conqkerrfitness.com/uploads/1/3/0/3/130379517/639749aa1314d5.pdf
    • http://frankvalenti.net/uploads/1/3/0/5/130588515/bijixawap-japukatovaji-jawanosugavafog.pdf
    • http://74-123-72-117.mgwnet.com/uploads/1/3/0/6/130621072/130621072.html#absolute+and+gauge+pressure+measurement

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d4a.bin
4d823aca522e339431d566b524d111d0a8c4c118ac688abafb48c28e4043c556		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D4A 7432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.