Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7b1c4305656d9e0…

MALICIOUS

PDF

33.4 KB Authoring application: QPDF
MD5: 2b5cb79eaaa2c26c4feb45aa2a75bc4e SHA-1: c5ac885d410f89ab324ef7814a805b1e65e46d89 SHA-256: e7b1c4305656d9e09239508f82297dbea44fea74b8672260a0703c21ea09e4ec
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many pointing to suspicious domains, indicating a link farm for SEO poisoning. The document body, though heavily obfuscated, contains text related to movie downloads and includes several URLs. The ClamAV detection and ML classifier strongly suggest malicious intent, likely to redirect users to phishing or malware distribution sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://god.ledilolli.com/uploads/2020/01/28/kifugazomifi-surixameramej.pdf
    • http://vataf.rostelekoma.pro/uploads/2020/01/27/956c76720a.pdf
    • https://femapapupukoma.weebly.com/uploads/1/3/0/4/130435813/3e891762d7.pdf
    • https://simanusewomok.weebly.com/uploads/1/3/0/2/130289636/f45376fb5a1e.pdf
    • http://candeelandproductions.com/uploads/1/3/0/2/130271184/wedeponifumov.pdf
    • http://computers-recycling.com/uploads/1/3/0/4/130483322/8021890.pdf
    • https://medukufemu.weebly.com/uploads/1/3/0/5/130550880/jutewalefixovepa.pdf
    • http://wemodiv.rcway.ru/uploads/2020/01/28/165420.pdf
    • http://revolution-coffee.net/uploads/1/3/0/6/130620345/130620345.html#banaras+wali+bhojpuri+full+movie++mp4

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001136.bin
77797358a246c4b63f83ea1fa15cee8ec4356cd2ea4322a0dfbcd0fd69d90404		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1136 7492 bytes
font_01_sfnt_off00003928.bin
83d4996baeed0505243fe48e2f4e903f6c1ab35fe43fbb4b0ae34ab6ecee9bec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3928 16852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.