Malicious PDF — malware analysis report

Static analysis result for SHA-256 da29a3dde382536f…

MALICIOUS

PDF

41.1 KB Authoring application: SWFTools
MD5: f061fbff1c9ac726607b98b401c0ff95 SHA-1: 85e3595774c689af0c78e5dda982ffcb8e5a910e SHA-256: da29a3dde382536f80654303bebe6bfb3982e7ded1eb23d9e2d2b088ccadf4d5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded URLs pointing to other PDF files, indicating a link farm or SEO poisoning attempt. The ClamAV detection and ML classifier strongly suggest malicious intent. The document body, though heavily corrupted, contains fragments of URLs that align with the heuristic findings.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tavernegoudenpunt.be/uploads/1/3/0/6/130620343/233321871.pdf
    • http://tateglass.com/uploads/1/3/0/4/130477152/e597671b3a91f0.pdf
    • http://mystparanormal.com/uploads/1/3/0/5/130588564/b9ba3c6f120b.pdf
    • http://midwestpsn.org/uploads/1/3/0/7/130739517/3066010.pdf
    • http://midwest-grow.com/uploads/1/3/0/7/130739456/jigukopiwi-kezumaden-rekuk-lonadewi.pdf
    • http://lespetitesnatures.net/uploads/1/3/0/6/130639802/zufumimadenovu_zelexeme.pdf
    • http://twtechnologyservices.com/uploads/1/3/0/5/130589309/likuke_vitazujunoraf_muwisapasati_naferuxupajumo.pdf
    • http://vpmsilverbars.com/uploads/1/3/0/6/130605036/faweloxege.pdf
    • http://advancedspeedtechnologies.com/uploads/1/3/0/2/130272406/vabevaginuzop-wekaroxaruxoz-resejumizuv-sevibowid.pdf
    • http://tilr.icu/uploads/2020/01/28/pobalovumekalap_vizevivep_vasixuro_wozifutetitufo.pdf
    • http://newburyparkacupuncture.com/uploads/1/3/0/6/130620459/4905844.pdf
    • http://diversified-resources.org/uploads/1/3/0/5/130588810/renegiwuximadu-piwebodi-bapiz.pdf
    • http://nupelicanparty.org/uploads/1/3/0/5/130544072/130544072.html#eosinophilic+oesophagitis+uptodate

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000141d.bin
e2d91c4a88696fa7b9c5f6f801020ad7a53e1a93befb8712f288a4fbe1b10f46		 pdf-font-stream PDF embedded font (sfnt) at offset 0x141D 8940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.