Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf462f8fa323c493…

MALICIOUS

PDF

42.8 KB Authoring application: SWFTools
MD5: 28612c522713147621eb8544ab6a5faa SHA-1: 44b73c4bf10556326199b10debb53da92c7c62b9 SHA-256: cf462f8fa323c493d16ca0d39ff0fa79d51a0d58bfe761d265301466b5da8c70
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The PDF file contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely for phishing or traffic redirection. The embedded URLs point to a network of suspicious domains, suggesting a coordinated effort to distribute malicious content or redirect users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://meritcardmoapp.com/uploads/1/3/0/4/130483879/fedolofaramuviguxima.pdf
    • http://primordiafarming.com/uploads/1/3/0/5/130589077/f50a1fb.pdf
    • http://chloedaniellewhite.com/uploads/1/3/0/5/130551176/dodimawotuwolatobap.pdf
    • http://kojolop.space/uploads/1/3/0/7/130738525/b8a2b8f8d5.pdf
    • http://simplyexquisitehg.com/uploads/1/3/0/5/130551262/zinulunokuk.pdf
    • http://naturehousedesign.com/uploads/1/3/0/7/130775701/8069828.pdf
    • http://therealmommy.com/uploads/1/3/0/6/130639971/kilemevinibo.pdf
    • http://spayedkoolie.com/uploads/1/3/0/5/130588611/kamusu_wujeru.pdf
    • http://mndball.com/uploads/1/3/0/4/130476298/gonafunizubupipole.pdf
    • http://trueiconic.net/uploads/1/3/0/8/130874167/2fab8874d222.pdf
    • http://pablitosbk.com/uploads/1/3/0/7/130740000/ca2b02eb67.pdf
    • http://jewelzcollection.com/uploads/1/3/0/8/130874157/08aff35ac.pdf
    • http://ibuyelectronic.com/uploads/1/3/0/5/130551251/lutewejutuvegoditu.pdf
    • http://samuelprovencher.net/uploads/1/3/0/4/130483125/dulesukexopevim.pdf
    • http://coachstephbcom.com/uploads/1/3/0/7/130740490/800420.pdf
    • http://ryan-foster.com/uploads/1/3/0/4/130476145/kotedujeveweli.pdf
    • http://shubhjai.com/uploads/1/3/0/2/130271111/3081128.pdf
    • http://snappornity.com/uploads/1/3/0/5/130542968/gamuweluzej.pdf
    • http://thesoulexperiment.com/uploads/1/3/0/6/130621141/zekigujog.pdf
    • http://1877selfhelp.com/uploads/1/3/0/6/130620321/nilupapifonuma_xovagig.pdf
    • http://growincome.net/uploads/1/3/0/6/130621785/6031716.pdf
    • http://thepentaxpioneer.com/uploads/1/3/0/4/130478106/mosofe-zodopozodol.pdf
    • http://hppartners.us/uploads/1/3/0/6/130605399/valegidemomipob_rebam_fagozuzugusar_vutaforevevet.pdf
    • http://bronxwentz.com/uploads/1/3/0/2/130288731/f4aa425.pdf
    • http://ktburke.com/uploads/1/3/0/7/130738875/1632483.pdf
    • http://time2bondtravel.voyagerwebsites.com/uploads/1/3/0/6/130605289/130605289.html#tcm+remedy+for+cough
    • http://simplyexquisitehg.com

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000435a.bin
cada153b4aa4c9306414b047c6c9f611948684f93d3590d03fee84c4f718243d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x435A 7976 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.