Malicious PDF — malware analysis report

Static analysis result for SHA-256 e013aca9ae58300d…

MALICIOUS

PDF

42.8 KB Authoring application: Serif PagePlus
MD5: df11223e105efffc39edc2e3fa79fc8e SHA-1: 0a6d6c33c3fad46f24702ef1125a2e1bafe42fee SHA-256: e013aca9ae58300d6d4f69087ace21d1978f182a4fb55ba678adfad0dace5cb5
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains. This technique is often used for SEO manipulation or to distribute further malicious payloads. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing or spam campaign. No scripts were extracted, limiting the analysis of direct execution vectors.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thepracticeproject.org/uploads/1/3/0/4/130435870/mevilulo_vevenepi.pdf
    • http://sparkspcrepair.com/uploads/1/3/0/6/130603748/xiwebewed-kafuxisidodo-xulun-parubewage.pdf
    • http://cryptocashbackrebate.com/uploads/1/3/0/4/130483271/nugurarukezago_vizevuzapi_miloninuwewa_wunobenewu.pdf
    • http://northsouthappal.com/uploads/1/3/0/8/130813948/ec6e11.pdf
    • http://applinglakesfinancing.com/uploads/1/3/0/7/130776002/0491ca62aa2a40c.pdf
    • http://mystreetstamp.com/uploads/1/3/0/5/130543771/zavowoxumutug_jovaxuwofik_vorajozu.pdf
    • http://americanfamilygolf.us/uploads/1/3/0/4/130483804/fivosusilajo.pdf
    • http://mollysteinwald.org/uploads/1/3/0/3/130324011/26b4295010e6c.pdf
    • http://www.eastbearconstruction.com/uploads/1/3/0/7/130776340/40c0397128e.pdf
    • http://orthogistic.com/uploads/1/3/0/5/130551245/7026992.pdf
    • http://maccione.net/uploads/1/3/0/7/130738675/d40284c3f9189.pdf
    • http://www.hoopsnakegraphics.com/uploads/1/3/0/2/130272862/9207571.pdf
    • http://villaandresito.com/uploads/1/3/0/2/130289436/dapet_wefudo_tupudokatifivob.pdf
    • http://www.ilgermoglio43.com/uploads/1/3/0/4/130492889/5093777.pdf
    • http://bearsvsbabiesgame.net/uploads/1/3/0/3/130324011/4314248.pdf
    • http://greenaviation.net/uploads/1/3/0/6/130604247/ketifuxig-worepifu-noralavejebum.pdf
    • http://milliehoffman.com/uploads/1/3/0/2/130272362/df7013dadce55.pdf
    • http://index92.pleasingfood.com/uploads/1/3/0/6/130604631/130604631.html#factoring+quadratic+expressions+calculator+free
    • http://www.ilgermoglio43.com/uploads/1/3/0/4/13

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002f19.bin
3e9a9dfb40a01f9f7c9c545b28ba37f1de74591f2b47bc69a9983f40f3f3ebd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2F19 16080 bytes
font_01_sfnt_off00004701.bin
aa48cbd20bacd83adbc1d6062f5b611c8bc956c14a2b397c04fcfa69f4bc542f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4701 9008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.