Malicious PDF — malware analysis report

Static analysis result for SHA-256 df1cf43e4d71b87b…

MALICIOUS

PDF

39.0 KB Authoring application: PDF Studio
MD5: bf421bd2d00de017c417f95eb2def103 SHA-1: 9ba4626a0de3a59406e09cd9981176417082978b SHA-256: df1cf43e4d71b87b85a9168dba5aaf8046d8f5fe5e3857b69a6be7906dd6bc68
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF was flagged by multiple heuristics, including a critical finding for a link farm, and ClamAV identified it as phishing malware. The embedded content, though heavily obfuscated, suggests a lure related to IELTS academic tasks, which is likely a pretext to drive traffic to the numerous external URLs. The primary attack pattern involves directing users to a network of suspicious external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dayzrank.com/uploads/1/3/0/8/130814161/zejexozuwejuvizemiw.pdf
    • http://www.koblenzwellness.com/uploads/1/3/0/6/130621589/kilugekuneb_zegibukemex_ragofov_dalezowasa.pdf
    • http://sodizin.net/uploads/1/3/0/7/130775195/c7ac9.pdf
    • http://houstonrealtorleads.com/uploads/1/3/0/5/130551089/turoveg_madirigejo.pdf
    • http://sufistudies.org/uploads/1/3/0/7/130738786/7093228.pdf
    • http://mx.samsonz.com/uploads/1/3/0/7/130776249/pawif.pdf
    • http://hcbw.org/uploads/1/3/0/4/130489006/5179913.pdf
    • http://spicyideas.com/uploads/1/3/0/6/130604350/tukezezisexe-nitukuwu-kirevavogoze-liber.pdf
    • http://modernyogiwisdom.com/uploads/1/3/0/7/130740264/dinanilatudasifen.pdf
    • http://thefilmdistributor.com/uploads/1/3/0/2/130270843/puvuro.pdf
    • http://sleepsenseprogram.net/uploads/1/3/0/3/130313274/dokevis-tazuwa-gewata-gakopigega.pdf
    • http://intelista.com/uploads/1/3/0/3/130379894/8200661.pdf
    • http://nurturingyourmystic.com/uploads/1/3/0/5/130539659/7246985.pdf
    • http://majordrillling.com/uploads/1/3/0/4/130476066/bb477c3bf87.pdf
    • http://artsanimalsandawakenings.com/uploads/1/3/0/4/130489220/288337.pdf
    • http://claytonheightssportmassage.ca/uploads/1/3/0/6/130620626/4889234.pdf
    • http://davesbiblestudy.net/uploads/1/3/0/5/130588954/detugos.pdf
    • http://ablesonslabradoodles.com/uploads/1/3/0/2/130289225/7909637.pdf
    • http://mysouthshorecharteracademy.com/uploads/1/3/0/3/130323674/bc5e622605fc3.pdf
    • http://wd-consult.com/uploads/1/3/0/8/130813592/jifizuwi-wupas-pupijij.pdf
    • http://atlantaasta.voyagerwebsites.com/uploads/1/3/0/5/130590383/130590383.html#ielts+academic+task+1+2019

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000037ba.bin
3a014a2250b29a5670a6c430e49a24881e21990b9e082314248952615a0ea391		 pdf-font-stream PDF embedded font (sfnt) at offset 0x37BA 8392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.