Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7b500630b350a33…

MALICIOUS

PDF

37.0 KB Authoring application: PDFedit
MD5: aa807063a4175b0f611c457266d7864a SHA-1: 0090d516bd4d2b2e0724bb1f9769de3f12d87f2a SHA-256: c7b500630b350a339c47200565a00cd3b8b1448978c05a13a72fd468872af22f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically related to phishing or traffic redirection. The document body itself is heavily obfuscated and contains fragmented text, but the presence of numerous URLs pointing to similarly structured PDF files on various domains suggests a coordinated effort to lure users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artasscience.org/uploads/1/3/0/2/130289577/829378.pdf
    • http://www.ourinnerroses.com/uploads/1/3/0/3/130313150/purimofegunusudotab.pdf
    • http://samguild.com/uploads/1/3/0/4/130436307/e73810e.pdf
    • http://onesimplyiris.com/uploads/1/3/0/3/130324340/2950532.pdf
    • http://mta-sts.annebonds.net/uploads/1/3/0/4/130435978/5286453.pdf
    • http://northbrisbanemortgagebrokers.com.au/uploads/1/3/0/6/130620267/lewazatogos.pdf
    • http://nitrotvtrial.com/uploads/1/3/0/5/130589360/varojoje.pdf
    • http://geriatricmodelingclub.com/uploads/1/3/0/2/130272994/6203661.pdf
    • http://ejruek.com/uploads/1/3/0/7/130738975/dapatexufexapilina.pdf
    • http://chainznthingz.com/uploads/1/3/0/5/130543996/bdaebb75a.pdf
    • http://oasischronicles.com/uploads/1/3/0/4/130435895/4b1cbef4a.pdf
    • http://mypromobook.com/uploads/1/3/0/7/130775846/1066051.pdf
    • http://cloud-able.com/uploads/1/3/0/2/130272270/8237438.pdf
    • http://diceplosion.com/uploads/1/3/0/5/130589128/9574266.pdf
    • http://74-123-77-204.mgwnet.com/uploads/1/3/0/7/130775271/130775271.html#placenta+previa+nursing+intervention

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000037e6.bin
1b0a7401e92ddb9d3d4e0e79816ad606bbe93e986979cdb887f6f5d0329fed69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37E6 7636 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.