Malicious PDF — malware analysis report

Static analysis result for SHA-256 c53675c9b780300a…

MALICIOUS

PDF

41.5 KB Authoring application: ImageMagick
MD5: d06067bd80adca2caf2622e20dc54c74 SHA-1: 404076d6d14a760ee4502725c905bc32c4d0056d SHA-256: c53675c9b780300ad00bddd0eda953ad5c4cdfad037b442077ae174380057366
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique commonly used for SEO manipulation or to distribute malicious content. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body's content appears to be unrelated technical or scientific text, suggesting it is likely obfuscation or filler.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://brunostippe.com/uploads/1/3/0/6/130605146/siwerobesidanoluxen.pdf
    • http://xiomana.shop/uploads/1/3/0/5/130539820/vomexinunut.pdf
    • http://abmcilwaincpa.com/uploads/1/3/0/2/130287521/rokifufusirovave.pdf
    • http://breadoffrance.com/uploads/1/3/0/7/130775710/6648485.pdf
    • http://ellacart.com/uploads/1/3/0/5/130589145/pawokuguwi_relojitinafib_nipunelakeba_deguzagivedume.pdf
    • http://cseyewear.net/uploads/1/3/0/4/130476146/tinomigarubud_rojetorixe_misekeb_bosizazivuno.pdf
    • http://treeoflifecg.com/uploads/1/3/0/3/130323355/2904579.pdf
    • http://www.damonoscar.com/uploads/1/3/0/8/130874635/9c00c35ec725f.pdf
    • http://namastamyoga.com/uploads/1/3/0/5/130539370/353a210d770e192.pdf
    • http://paretonutrition.org/uploads/1/3/0/7/130740183/subawozigogetu-dipezijikun-vazapudi-gibog.pdf
    • http://luckysquash.com/uploads/1/3/0/8/130814328/xunuwase_xawojut_jamufup_sawevipoke.pdf
    • http://mmcarterconsult.com/uploads/1/3/0/2/130287930/juwuwepame_wereturigupival.pdf
    • http://www.arielledollinger.com/uploads/1/3/0/5/130590296/3813268.pdf
    • http://www.yamayogacollective.com/uploads/1/3/0/5/130551127/855f9.pdf
    • http://huanjiangpindeqipaiyouxi.br3h.com/uploads/1/3/0/6/130605433/130605433.html#which+of+the+following+statements+concerning+the+acid+strength+of+carboxylic+acids+is+correct

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002443.bin
8c13508c47c213c0a718e7b2754abffa161ea08a367afbfff1300c81e0bf2831		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2443 8928 bytes
font_01_sfnt_off00006ae2.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AE2 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.