Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecf2d37aa93057f1…

MALICIOUS

PDF

31.9 KB Authoring application: Pdftk
MD5: bd944f6f4216fee5c07dfbf37312d56a SHA-1: c6b1824d30f92c564292b9d92551a9149b8bbc1a SHA-256: ecf2d37aa93057f19b4651efd2b9747177c7f09eb93f242844deb49e0b7e8c73
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was detected as malicious by ClamAV and an ML classifier. The heuristic 'PDF_SEO_LINK_FARM' indicates the presence of numerous external links, suggesting a phishing or redirection campaign. The document body, though heavily obfuscated, contains many of these URLs, reinforcing the attack pattern. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://northparkvoicestudio.com/uploads/1/3/0/7/130739197/db826079ea6689.pdf
    • http://www.grafologiacercana.es/uploads/1/3/0/7/130739769/8e5e10b9253.pdf
    • http://acupointgem.com/uploads/1/3/0/4/130435597/nafojomu_ruxikakuz_watojizepikefok_sapirig.pdf
    • http://topephoto.com/uploads/1/3/0/5/130588201/3778793.pdf
    • http://mdmorash.com/uploads/1/3/0/6/130639563/wilokexon.pdf
    • http://nonreligiousspiritual.com/uploads/1/3/0/6/130620746/tenowo_gemaworagakexe_miben.pdf
    • http://accesseuropetour.com/uploads/1/3/0/5/130590608/pejudinun_leneb_pozovenafagup_vidil.pdf
    • http://traversecityinnovators.org/uploads/1/3/0/6/130604181/zatorujuniba_bevulo_remawo.pdf
    • http://ponyenzo.com/uploads/1/3/0/7/130775560/bodaxelupezabes.pdf
    • http://notchviewlasertherapy.com/uploads/1/3/0/7/130739027/6883414.pdf
    • http://parcelshipping.international/uploads/1/3/0/5/130550684/59e1dfdf3.pdf
    • http://missinglinkbrewery.com/uploads/1/3/0/4/130436078/246262.pdf
    • http://brilliantbusinesssolutionsllc.com/uploads/1/3/0/7/130740490/lupixojukawuxajesi.pdf
    • http://pipestoneresearch.com/uploads/1/3/0/3/130313610/xidusudulo-fawemosugutitij-kidejilepudewi-galet.pdf
    • http://midiklorians.com/uploads/1/3/0/7/130740368/8046103.pdf
    • http://notimeforme.net/uploads/1/3/0/6/130621367/d8f2dd.pdf
    • http://silvervalleyfarmsgooseeggs.com/uploads/1/3/0/7/130738554/xefixekexosufusope.pdf
    • http://shelbycolgan.com/uploads/1/3/0/6/130604148/solusuzajud.pdf
    • http://reparacoeselectricidadelisboa.com/uploads/1/3/0/5/130539933/de55672262.pdf
    • http://kubbsjewelryandfashion.com/uploads/1/3/0/6/130639800/5058506.pdf
    • http://caranelsondesign.com/uploads/1/3/0/3/130323789/76ae2f6ac03177.pdf
    • http://threeriverproperties.com/uploads/1/3/0/7/130738722/vawositame.pdf
    • http://michellegarciaandersen.com/uploads/1/3/0/7/130739907/8000418.pdf
    • http://lauralemay.net/uploads/1/3/0/8/130813320/xowefepisu_zosojotu_javidevig.pdf
    • http://dg3hu8.salon225.com/uploads/1/3/0/5/130539004/130539004.html#the+greatest+showman+this+is+me+karaoke+version

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001b1e.bin
dbb777d413ca30bb8c3cf8bc383211b0ebd8ba2a9abff79bc904d57e2e6e4439		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1B1E 6820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.