Malicious PDF — malware analysis report

Static analysis result for SHA-256 e49a0cd165cd68b5…

MALICIOUS

PDF

41.1 KB Authoring application: Smallpdf Desktop
MD5: c59666f69acd25e302be3b3e02dc329b SHA-1: 0b4325f552dc36a951dcb0d879316b127e27fd9d SHA-256: e49a0cd165cd68b5ac25066e736d0878b6c10265d8773c954f3c8da9c00f63a4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic fired, revealing a large number of embedded external URLs, with the primary domain being pcm-healthandfitness.com. These links likely serve as a lure to redirect users to phishing or malware-hosting sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pcm-healthandfitness.com/uploads/1/3/0/8/130874482/4630248.pdf
    • http://lapuertadelsolshop.com/uploads/1/3/0/2/130272892/labazogebefuneten.pdf
    • http://stdesignmatters.com/uploads/1/3/0/7/130738662/7114727.pdf
    • http://annaravenscroft.com/uploads/1/3/0/7/130775260/7101674.pdf
    • http://messiniako-catering.com/uploads/1/3/0/4/130476574/2720339.pdf
    • http://mobowlusa.com/uploads/1/3/0/4/130483248/tofakepaxez.pdf
    • http://pdxmen.net/uploads/1/3/0/7/130739669/708f30db629c24d.pdf
    • http://farmtablecatering.ca/uploads/1/3/0/7/130775820/poziba.pdf
    • http://ez-pz-pay.com/uploads/1/3/0/5/130588508/tadudanabujasewu.pdf
    • http://neverdonefiberfarms.com/uploads/1/3/0/2/130270869/xadesapo-rosanesus-wuxuninezuf.pdf
    • http://quartzvanitydirect.com/uploads/1/3/0/7/130739062/zilunelejubogaromav.pdf
    • http://swaynami.com/uploads/1/3/0/6/130620604/sotufifariwinax.pdf
    • http://desatascossantcugat.com/uploads/1/3/0/5/130551475/9958498.pdf
    • http://poppies-daycare.co.uk/uploads/1/3/0/5/130588512/famixobejizuvililam.pdf
    • http://algrealproperties.com/uploads/1/3/0/2/130270985/35de832e3565.pdf
    • http://mhwmyhomeofwonders.com/uploads/1/3/0/7/130776072/7604944.pdf
    • http://shanghaiveggies.com/uploads/1/3/0/7/130776300/miwutazumirude.pdf
    • http://victorianfusion.com/uploads/1/3/0/8/130814960/kukezovajolidebur.pdf
    • http://mountainlifemontana.com/uploads/1/3/0/8/130814209/2542870.pdf
    • http://dearrouge.ca/uploads/1/3/0/5/130538869/723597.pdf
    • http://chuysmex.com/uploads/1/3/0/7/130775196/fomulipizadedad.pdf
    • http://i05g5.salon225.com/uploads/1/3/0/6/130604269/130604269.html#native+agarose+gel+rna
    • http://lapuertadelsolshop.com/uploads/1/3/0/2/130272892/labazogebefunet
    • http://regiond.swe.org/uploads/1/3/0/3/130324158/xereres_wowulu.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003e51.bin
4d80f16cfe279b879d05e259d44224a5f44e032d85e9870c27df22a47caacded		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E51 8408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.