Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5a061479c0c81f6…

MALICIOUS

PDF

117.4 KB Authoring application: PDF Studio
MD5: fcf68e915b0eba0f878225ac0a0ac26c SHA-1: 2efd7c9d5643d453eadf96f1b87bd8e33b9fe218 SHA-256: d5a061479c0c81f6863167bbb4b15802f6531b15a2d1a310f97d9b87146981d2
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file exhibits characteristics of a link farm, containing numerous external links pointing to other PDF files. This is strongly indicative of a phishing or malware distribution campaign, as suggested by the 'PDF_SEO_LINK_FARM' heuristic and ClamAV detection. The ML classifier also flagged this file with high confidence. No scripts were extracted, and the document body was heavily obfuscated and truncated, preventing a deeper analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://yarnislove.com/uploads/1/3/0/7/130739449/noroduvevuzipinij.pdf
    • http://mojonz.co.nz/uploads/1/3/0/4/130435672/01299c4.pdf
    • http://mta-sts.mail.istmstyles.com/uploads/1/3/0/8/130873893/durijogikew_dotewewup.pdf
    • http://hostmaster.speelveldbelijning.be/uploads/1/3/0/2/130287813/movubizaxol.pdf
    • http://nixology.com/uploads/1/3/0/7/130776542/wajagatavifijil.pdf
    • http://myflexbrace.com/uploads/1/3/0/7/130738513/gubazona.pdf
    • http://kbfineart.com/uploads/1/3/0/6/130620888/tidolunovinefe-kibekinuno-nipuzesozosepib.pdf
    • http://summitdentalaccounting.mobi/uploads/1/3/0/6/130639439/8320597.pdf
    • http://deliverypekin.com/uploads/1/3/0/6/130640109/6574811.pdf
    • http://niveditainstitutions.com/uploads/1/3/0/4/130488331/c0d2a1b9c8873.pdf
    • http://sdorsher.com/uploads/1/3/0/6/130639023/2793360.pdf
    • http://keepcsamaphysiciansociety.com/uploads/1/3/0/5/130588443/2167299.pdf
    • http://allatjanster.online/uploads/1/3/0/7/130740597/adf2eceb089a.pdf
    • http://79.bpmtc.com/uploads/1/3/0/4/130489019/130489019.html#winter+soldier+captain+america+trailer

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004473.bin
a8a50bef484d90f300ac8aafd7e448f98fc593a7a1b33e40842f01953662cd67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4473 9552 bytes
font_01_sfnt_off0000fe54.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFE54 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.