Malicious PDF — malware analysis report

Static analysis result for SHA-256 c81c6a9f4ae58501…

MALICIOUS

PDF

33.2 KB Authoring application: Serif PagePlus
MD5: d04db3939e760485a183364fbd2c71df SHA-1: 1422183156a2bbe499d77eab4a6f0e54f90af475 SHA-256: c81c6a9f4ae58501e8f3fe272bd0c7ddbe438ee26b9515396fca2053827c8ab0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links, identified as a "PDF_SEO_LINK_FARM" heuristic, suggesting a tactic to distribute further malicious content. The document body, while containing unrelated text about "Tanto knife blade templates", also embeds multiple URLs, some of which are flagged as unknown reputation. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://zajadekale.weebly.com/uploads/1/3/0/3/130379356/4b10305d1.pdf
    • http://sopowaka.muaxehoigiatot.com/uploads/2020/01/29/noniresug-roputalowu-wazofowem-pilujadavulepun.pdf
    • http://dan.free-log-tracke.com/uploads/2020/01/28/6e0e4b8a2b.pdf
    • http://rupinefov.rurostelekom.ru/uploads/2020/01/27/3440887.pdf
    • http://marymariamadonna.com/uploads/1/3/0/2/130270902/senopemiketub_kepilovovej_miresorusuranub_munevedadu.pdf
    • http://ronolaput.bloomhabits.ru/uploads/2020/01/28/rotubivetozenuwor.pdf
    • http://newstylemarket.com/uploads/1/3/0/2/130289322/130289322.html#tanto+knife+blade+templates

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000115d.bin
eb8d46f648482487a4d23376976e07148a1e31f1b0c0c7f0d1a7ed556aa8f986		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115D 8048 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.