Malicious PDF — malware analysis report

Static analysis result for SHA-256 c6e0abc3cce0ffb6…

MALICIOUS

PDF

36.4 KB Authoring application: PDFBox
MD5: c3659154b19acc8e073e2aa21c34f22d SHA-1: ada900458ad5fd0d2d667a3f65540e8e9da2146d SHA-256: c6e0abc3cce0ffb69b8ca320112a2c6e994a0b86130eb90fa2e78259f323a91d
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files across various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection. The document body itself contains unrelated text and embedded URLs, reinforcing the malicious intent of directing users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pers.sjaalmania.nl/uploads/1/3/0/5/130539114/917950a.pdf
    • http://salesresult.works/uploads/1/3/0/7/130775470/4c56720.pdf
    • http://mrviolinsd.com/uploads/1/3/0/5/130550940/jaxepazami.pdf
    • http://aextracts.net/uploads/1/3/0/6/130621057/5733239.pdf
    • http://iheartdetroit.net/uploads/1/3/0/5/130543074/tobexutupakiwimidino.pdf
    • http://customlovecandles.net/uploads/1/3/0/8/130814100/fudanuzi-magow-dizawu.pdf
    • http://nickminion.com/uploads/1/3/0/7/130739598/63b00df6c.pdf
    • http://buyhempoilnow.shop/uploads/1/3/0/6/130604878/poxonavosufuwituz.pdf
    • http://www.rjpersonalservices.nl/uploads/1/3/0/7/130775478/20b66f69b2d2f3.pdf
    • http://aiafricatravel.co.za/uploads/1/3/0/7/130775544/metuzep.pdf
    • http://calligraphy-corner.com/uploads/1/3/0/6/130621276/kofikevigizirak_wijazul_dokivipaxobavo.pdf
    • http://new-victory.site/uploads/1/3/0/4/130476548/bofewu.pdf
    • http://arogyamart.com/uploads/1/3/0/5/130589285/1bed60e9fac3c.pdf
    • http://anothercircle.com/uploads/1/3/0/4/130483660/lugukitum.pdf
    • http://orderyourbluebook.com/uploads/1/3/0/6/130603818/wosax_xovavidojixifap_sujawiredidifu_gukoko.pdf
    • http://cimarronofaz.com/uploads/1/3/0/7/130738861/2ea827aac95.pdf
    • http://barredorasindustriales.com/uploads/1/3/0/3/130313027/letebojutalexod.pdf
    • http://modtone.net/uploads/1/3/0/4/130475989/890939f1da.pdf
    • http://www.losantojitosboston.com/uploads/1/3/0/5/130588256/fomekeraxamakule.pdf
    • http://danielscotthunt.com/uploads/1/3/0/6/130639683/5a9459e333aa.pdf
    • http://ecgcore.com/uploads/1/3/0/8/130814586/130814586.html#ayatul+kursi+ka+full+video
    • http://barredorasindustriales

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003152.bin
fe9a5096c8ca1b6da8fc67d5fe532178934f0c2535565f7944c532ac6c679aea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3152 7084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.