Malicious PDF — malware analysis report

Static analysis result for SHA-256 c38d64d777b70ae0…

MALICIOUS

PDF

45.3 KB Authoring application: Poppler-utils
MD5: 981ddd3e2a694c99643cf0ae91db68b7 SHA-1: c8130e0ade6e245a50183bacb6b8d367efcdea03 SHA-256: c38d64d777b70ae0221f5d9f13232e30060ef3a145514c861e01802d61d57f79
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF was flagged by multiple heuristics, including ClamAV and an ML classifier, for malicious content. The PDF_SEO_LINK_FARM heuristic specifically identified a large number of external links embedded within the document, pointing to suspicious domains. These links are likely intended to redirect users to malicious sites for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gocustomstamps.com/uploads/1/3/0/7/130740556/duxafo_xuwas_jatolakig.pdf
    • http://my.trssociety.ca/uploads/1/3/0/4/130435635/41c56d4.pdf
    • http://allisongentry.com/uploads/1/3/0/4/130493476/kexomido_kinizidaxej.pdf
    • http://nashobavalleyextractco.com/uploads/1/3/0/6/130620693/130620693.html#a+level+chemistry+summary+notes+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011e7.bin
1ef9fa1771bd31bb20547523c257078aa21cbcd3f5737a947d254610f5c80dbf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E7 9632 bytes
font_01_sfnt_off000076eb.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x76EB 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.