Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5c5bd8f91309a01…

MALICIOUS

PDF

36.8 KB Authoring application: ImageMagick
MD5: deb6ffee5ddf4f07eccf511942cdb793 SHA-1: d08820399195c1b8cbf96785bfd703b64c49ac55 SHA-256: c5c5bd8f91309a01d370e82aca7b3f4ffa56db8f1889d353a917f5c7954359da
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file contains a large number of embedded links to external PDF documents hosted across various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly support its malicious nature. No scripts were extracted, and the document body was heavily obfuscated, preventing a deeper analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vrbeforeitstoolate.org/uploads/1/3/0/2/130287989/nilevijexomarade.pdf
    • http://jchomesales.com/uploads/1/3/0/6/130605270/notufojos-vatubidaxemixov.pdf
    • http://mymobilenotarypublic.com/uploads/1/3/0/5/130547150/badegamujoni-sapilok.pdf
    • http://trishduke.com/uploads/1/3/0/7/130776017/gatudonoporozo.pdf
    • http://chinagroupcorp.com/uploads/1/3/0/7/130739628/8393290.pdf
    • http://sportsgrinding.com/uploads/1/3/0/2/130272552/7643000.pdf
    • http://theconnectionsacademy.net/uploads/1/3/0/7/130775107/xanisebowufulumer.pdf
    • http://shop-perfectly-impressive-store.com/uploads/1/3/0/2/130291036/gusutuwosit-begig.pdf
    • http://grantvogelmusic.com/uploads/1/3/0/8/130874011/7266641.pdf
    • http://mnnewfs.com/uploads/1/3/0/5/130589396/manoratiwu.pdf
    • http://edenamelia.com/uploads/1/3/0/2/130287505/7236071.pdf
    • http://ww.bensirestaurants.com/uploads/1/3/0/7/130776403/lofonilu.pdf
    • http://www.lewisreviews.com/uploads/1/3/0/6/130605283/3579080.pdf
    • http://texanhomestudy.com/uploads/1/3/0/7/130740183/23122a2.pdf
    • http://premiumrooms.com/uploads/1/3/0/8/130874055/vakogoxevaxitosix.pdf
    • http://modernbyken.com/uploads/1/3/0/4/130483418/musiki-manej-juvadonamenikuf.pdf
    • http://www.irpimpianti.it/uploads/1/3/0/7/130776185/2d79884000e.pdf
    • http://2onrtn.bdgct.com/uploads/1/3/0/5/130539697/130539697.html#tratamiento+de+sindrome+de+abstinencia+alcoholica
    • http://modernbyken

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003396.bin
a707dd5cc2e1d67abbe3bcd748e0a2eee6ebcf85c6fb495640819ef5d605624d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3396 8252 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.