Malicious PDF — malware analysis report

Static analysis result for SHA-256 e4a7c9886e1ba89d…

MALICIOUS

PDF

48.2 KB Authoring application: Serif PagePlus
MD5: bf3ccd8bf591ab09ba9a5a5059458b4c SHA-1: 84a7af8cf63c0d1094ef13630ffd2f0c411c1a32 SHA-256: e4a7c9886e1ba89de81559873a72bbbdfd741fb4e1750059580673b58e1fbfb9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are dynamically generated with numeric slugs, indicating a link farm designed to distribute malicious content. The ClamAV detection and ML classifier strongly suggest malicious intent, specifically identified as phishing or traffic redirection. The document body, though partially corrupted, mentions 'standby letter of credit', a common lure for financial scams.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pchelpformom.net/uploads/1/3/0/6/130621402/jibuvesoradi_debanotalosose_nagigukigevo.pdf
    • http://theshaversclub.com/uploads/1/3/0/7/130776724/koxebijewazixakuwoso.pdf
    • http://hostmaster.thedoggroomingguy.co.uk/uploads/1/3/0/6/130621359/rakozojuxutetupa.pdf
    • http://cloudaccountantaccelerator.com/uploads/1/3/0/7/130776667/e85dd69ad3979b.pdf
    • http://manticarchitecture.com/uploads/1/3/0/5/130589420/b70da8844a20.pdf
    • http://alphachiomegaofoaklandcounty.org/uploads/1/3/0/7/130775205/wasin-sedolusugomuxa.pdf
    • http://deeprootsmountainrevival.com/uploads/1/3/0/6/130603884/futinaruxomota.pdf
    • http://annapontel.com/uploads/1/3/0/5/130590741/watopidovuwufinox.pdf
    • http://kerribarronmakeup.com/uploads/1/3/0/2/130292073/foxoxafa.pdf
    • http://olallagreens.biz/uploads/1/3/0/8/130813829/nedatino-zodalutekunaw.pdf
    • http://intrinsiclifesciences.us/uploads/1/3/0/7/130775151/desuvaxixebeto-dededan-nugidenelugik.pdf
    • http://www.masa2.nl/uploads/1/3/0/2/130288661/376c7f7e1.pdf
    • http://host246.carmichaelnl.com/uploads/1/3/0/6/130639583/130639583.html#standby+letter+of+credit+meaning+in+arabic

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000035d6.bin
b64d6741cfec0aad0865d017b05e0e1fb7b4a6100249b802a3843c97d8d05181		 pdf-font-stream PDF embedded font (sfnt) at offset 0x35D6 4552 bytes
font_01_sfnt_off0000443c.bin
ff1df49bd8d3d9b5afa455194efb1aa37027ce0918a16f3888c56904caa4a7b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x443C 17156 bytes
font_02_sfnt_off00006059.bin
5664ac54131e4d23177d8f1bff50c4b9d310f9c2f1765529412b1cee4da91dcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6059 11164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.