Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3453c4b66c3171b…

MALICIOUS

PDF

36.2 KB Authoring application: Smallpdf Desktop
MD5: 0dfdc79ca3c2ac097e683c98d16dc1be SHA-1: 2cfe8d0ff704c054f1e2bfa0a53b75d2d7757ca2 SHA-256: c3453c4b66c3171b8a5e678def8cb94c63c638af578a17d2de4dc4373cc1ec39
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to other PDF files hosted on various domains. This is a common technique for distributing phishing content or redirecting users to malicious sites. The ClamAV detection and ML classifier further support its malicious nature, indicating it's likely a phishing or traffic-redirecting malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tobiawoyemiministries.com/uploads/1/3/0/6/130621382/dapuridojiwa-xajiliwidema-bopes.pdf
    • http://thegardenhead.com/uploads/1/3/0/6/130604098/bulep.pdf
    • http://nicole-bramble-illustration.com/uploads/1/3/0/6/130639404/bodelemubusam.pdf
    • http://mhswarriorettes.com/uploads/1/3/0/3/130313107/jewobuxujutob-nituz-lupewova-mazeruvisan.pdf
    • http://cnaughty.com/uploads/1/3/0/6/130639038/1785196.pdf
    • http://coremedicalassociates.com/uploads/1/3/0/4/130483581/sojabuke.pdf
    • http://ladieslearnenglish.com/uploads/1/3/0/2/130289570/runutinew_jamureri_felobetup_wegujogokesef.pdf
    • http://readingsbyannie.com/uploads/1/3/0/4/130490036/3de65fea47296.pdf
    • http://getoffmyredcarpet.com/uploads/1/3/0/8/130874197/kitutuzogax.pdf
    • http://pfbclan.com/uploads/1/3/0/6/130605432/dewaberojaludiri.pdf
    • http://nedcurcargo.com/uploads/1/3/0/4/130476917/130476917.html#formato+de+acta+constitutiva+para+empresa+constructora
    • http://coremedicalassociat

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000034cb.bin
ae2071f38d498c2296cc37b75e79b96c0de95e1de8b76ee4383d61987972f406		 pdf-font-stream PDF embedded font (sfnt) at offset 0x34CB 9260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.