Malicious PDF — malware analysis report

Static analysis result for SHA-256 ead53c8744f35908…

MALICIOUS

PDF

60.9 KB Authoring application: Serif PagePlus
MD5: 016e97b290f5ce4f5a3e3820e9b5d626 SHA-1: ca2f7d9d9831b4fbc0ec4cf9c8e2796c7c861538 SHA-256: ead53c8744f359081cad6e0f1a34be7879e24e106a545306fbce249e1ee89838
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a mass external link farm, with multiple URLs pointing to PDF files on different domains. The heuristic PDF_SEO_LINK_FARM specifically identifies this behavior. ClamAV also detected this as Pdf.Phishing.TtraffRobotInstall, indicating a phishing or malicious distribution intent. The embedded document body text, though partially corrupted, mentions 'Ilae 2017 seizure classification ppt' and includes some of the external URLs, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ruefrancaise.com/uploads/1/3/0/6/130604195/mezunaravi-kegatitazimato.pdf
    • http://piedrasvivasiglesia.org/uploads/1/3/0/4/130483879/4746867.pdf
    • http://alsupmusic.com/uploads/1/3/0/2/130274256/bb755.pdf
    • http://clucktruckportland.com/uploads/1/3/0/5/130552016/130552016.html#ilae+2017+seizure+classification+ppt

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000106c.bin
6b03980ae3399aa4967f4a5a342ebc22652e5f9ba36d263f25b34b522e18f3bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x106C 8712 bytes
font_01_sfnt_off0000b4f7.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB4F7 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.