Malicious PDF — malware analysis report

Static analysis result for SHA-256 c3731f17b6e93492…

MALICIOUS

PDF

38.2 KB Authoring application: Mobipocket Creator
MD5: f0475d56ebe21106c3b8b80ad03d229e SHA-1: 6ef8308f64a354a24e0c2f528770cde9e865c00e SHA-256: c3731f17b6e934928a54359c83aba78d6ce9a1d4ded1a3e1883e89b5a63aa2d2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, as detected by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or redirection mechanism. The ML classifier and ClamAV detection further support the malicious nature of this file, classifying it as phishing-related. The embedded document body text, though heavily obfuscated, contains references to IELTS material, potentially serving as a lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stuffpeoplesentme.com/uploads/1/3/0/2/130291910/4074105.pdf
    • http://bobslocker.com/uploads/1/3/0/7/130776079/navifelifewu-zifeb-vunupoluzaxalad.pdf
    • http://www.jennaleigh-photography.com/uploads/1/3/0/4/130483239/05e8ffa856184.pdf
    • http://laspadaitalia.com/uploads/1/3/0/2/130287976/189955a.pdf
    • http://nsanzineza.com/uploads/1/3/0/4/130436202/6136f0e.pdf
    • http://3dwear.ph/uploads/1/3/0/2/130291649/borotibivepub.pdf
    • http://savhandyman.com/uploads/1/3/0/6/130639635/f1d897cf680.pdf
    • http://woodlandswomensexpo.com/uploads/1/3/0/6/130620353/3066808.pdf
    • http://z.ag/uploads/1/3/0/7/130775476/zukef.pdf
    • http://georgere.com/uploads/1/3/0/6/130639321/426bf92f8dcf73.pdf
    • http://introducingfriends.net/uploads/1/3/0/6/130604928/wudex-rabekorabivewo-xawunefiwakufo-lefup.pdf
    • http://clickimagembr.com/uploads/1/3/0/4/130489222/pekonodiku_pipelorinezumap_zobepipeb.pdf
    • http://acts2035.online/uploads/1/3/0/5/130539238/xezowulosokirimiwep.pdf
    • http://mindset40.com/uploads/1/3/0/4/130436080/1792604.pdf
    • http://idealmedikal.com/uploads/1/3/0/4/130488399/3038704.pdf
    • http://nointernetweek.com/uploads/1/3/0/7/130776609/9677564.pdf
    • http://mankatocomedy.com/uploads/1/3/0/4/130483193/4046532.pdf
    • http://motovillaitalia.net/uploads/1/3/0/3/130323213/697ad6b7.pdf
    • http://estudiorins.net/uploads/1/3/0/6/130639990/bonomepawuwozutobogu.pdf
    • http://kapchiyfashion.com/uploads/1/3/0/7/130740265/7594761.pdf
    • http://bcdcosmetics.com/uploads/1/3/0/3/130379561/jopelogarud_waxir_xaxojulera_fipegimiviz.pdf
    • http://host144.carmichaelnl.com/uploads/1/3/0/7/130775719/130775719.html#ielts+answer+sheet+reading
    • http://estudiorins.net/uploads/1/3/0/6/130639990/bonomepawuwozutobogu.pd

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000373f.bin
904152dd92ee3d0ca9344d42cfc2e31560609c1950fa8a03cce3cfd60c3a6b73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x373F 7080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.