Malicious PDF — malware analysis report

Static analysis result for SHA-256 d243f2f96c883e8d…

MALICIOUS

PDF

32.1 KB Authoring application: pstoedit
MD5: b66f3ee1f3422d824627db874919edaf SHA-1: 9d91a01f496688167cf188bf3c4d4ca04e259946 SHA-256: d243f2f96c883e8da623d990c57cc4ad660e6a0014794798e83d4949188d85dd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a link farm with numerous external PDF links, indicating a phishing or malware distribution attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The embedded URLs are likely used to redirect users to malicious content or further stages of an attack. No scripts were extracted from this sample, limiting the analysis of specific execution behaviors.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://salomonk.com/uploads/1/3/0/4/130476661/pedubatevi.pdf
    • http://nancyyenshipleymd.com/uploads/1/3/0/7/130776805/8860b78.pdf
    • http://lakeareaxtreme.com/uploads/1/3/0/7/130775125/pewezuwu.pdf
    • http://www.onlinehappiness.net/uploads/1/3/0/2/130289002/bba6ca4322335a.pdf
    • http://simplyfitfoods.com/uploads/1/3/0/5/130538836/a8095afa7.pdf
    • http://greecejapan.net/uploads/1/3/0/5/130541552/4940436.pdf
    • http://guilaringoffire.com/uploads/1/3/0/6/130620474/sanuwuzaw.pdf
    • http://glumacweld.services/uploads/1/3/0/7/130738837/nuzemijusinujiz.pdf
    • http://sepiat.one/uploads/1/3/0/2/130271159/rulunisazikan.pdf
    • http://werepairshop.com/uploads/1/3/0/7/130738876/loxiwusu-wedur.pdf
    • http://charlestoncharm.net/uploads/1/3/0/9/130969657/4c146af97.pdf
    • http://hostmaster.kruegervp.com/uploads/1/3/0/6/130604354/maxuvebavusufe_devijigimulo.pdf
    • http://www.artisticvb.com/uploads/1/3/0/6/130639524/zenonolelitubogufagi.pdf
    • http://sadieandthetradies.com/uploads/1/3/0/4/130490585/mejejap.pdf
    • http://educationforsustainableliving.ca/uploads/1/3/0/7/130739053/jizusetavasun.pdf
    • http://destinationcelebrationtravel.voyagerwebsites.com/uploads/1/3/0/5/130539457/130539457.html#three+short+stories+of+sherlock+holmes+level+2+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002150.bin
45be305926a1455e82f71ed5265bf7028faac462f21986b14e96dd853d90a91a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2150 8184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.