Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6d1e4e0e5f2f3ae…

MALICIOUS

PDF

39.0 KB Authoring application: PDFedit
MD5: bf1fd71e652520018afe44a6488bd2cf SHA-1: 3fc5dfb50d0b4e61036747a613536e95c7758d9e SHA-256: e6d1e4e0e5f2f3aefad12fc3181d68be04ae83f27a9127be7d68127ecd360fb4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The critical PDF_SEO_LINK_FARM heuristic indicates the presence of a large number of external links, suggesting a link farm or distribution mechanism. The embedded URLs point to other PDF files, likely part of a campaign to distribute malware or phishing content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://homesellingbuying.com/uploads/1/3/0/3/130313284/seleviluzoxofo.pdf
    • http://mta-sts.mail.duckdog.at/uploads/1/3/0/3/130379291/sogazasoz_zifoluzonuzikej_rumazib_kevajunej.pdf
    • http://myacrepairorlando.com/uploads/1/3/0/5/130547924/dbc6581.pdf
    • http://www.globalappliancesservicecare.net/uploads/1/3/0/7/130775527/jepatawewumeroxivigi.pdf
    • http://cpanel.mindfulevolution.net/uploads/1/3/0/5/130588529/5178154.pdf
    • http://developmentaleditors.com/uploads/1/3/0/7/130738885/zosuko-lizafijo.pdf
    • http://smart-k9.com/uploads/1/3/0/2/130291800/kezurem_labez_likiviforod_zolifaveluw.pdf
    • http://swmportfolio.com/uploads/1/3/0/4/130483286/22769.pdf
    • http://mycorporatecounselor.com/uploads/1/3/0/2/130274076/joropizamekazitati.pdf
    • http://msptohumboldtproducts.com/uploads/1/3/0/3/130379072/1629825.pdf
    • http://dallaslivesinc.com/uploads/1/3/0/5/130590698/wafuk_nagakogowubo_kutubuzemupesu_zodobanuga.pdf
    • http://mitrarheumatology.com/uploads/1/3/0/6/130604977/8539030.pdf
    • http://funnykorean.com/uploads/1/3/0/8/130813667/764645.pdf
    • http://morristem.com/uploads/1/3/0/6/130639539/9638256.pdf
    • http://aminamediapro.net/uploads/1/3/0/7/130775014/a7a532481b9c03d.pdf
    • http://blurevival.com/uploads/1/3/0/6/130604580/guzazifatisivunej.pdf
    • http://penninsulatech.com/uploads/1/3/0/3/130379081/rajojegokuritigebime.pdf
    • http://augmentedwallpaper.com/uploads/1/3/0/6/130604429/4557960.pdf
    • http://thewaybrea.com/uploads/1/3/0/2/130270804/fonipibukopas-mejakilo-favorizamej-nenesiduvuju.pdf
    • http://adsl-63-204-18-55.benefitplans.org/uploads/1/3/0/4/130476069/130476069.html#anestesia+local+y+general+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000039be.bin
74edbf5cca2606e5e1bddb9abccda0f9b9d43e01ffb3e4076c834046606c801e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x39BE 8256 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.