Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed5f76722a269f6c…

MALICIOUS

PDF

55.3 KB Authoring application: Smallpdf Desktop
MD5: d2f0eb3d60cb2d73db4a0f782f0200fc SHA-1: 10c55216770227f26fa80f6770f5942fa04f7451 SHA-256: ed5f76722a269f6c8572b49c7754c7c87c550051cac5a8b8922064d27a61a4b7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The critical PDF_SEO_LINK_FARM heuristic identified 31 external links, with the first being http://productionalgarve.com/uploads/1/3/0/7/130739850/dubakij_wowomekimowo_todelu_bubofopelu.pdf. This suggests the document is designed to lure users to a network of potentially malicious sites, likely for phishing or malware delivery.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://productionalgarve.com/uploads/1/3/0/7/130739850/dubakij_wowomekimowo_todelu_bubofopelu.pdf
    • http://d12llc.com/uploads/1/3/0/6/130620981/ed1254219ee9fca.pdf
    • http://ab4xy.com/uploads/1/3/0/5/130540281/zajaluke.pdf
    • http://dianebrowncolourspecialist.com/uploads/1/3/0/4/130483194/vanavonibegow.pdf
    • http://hobipago.com/uploads/1/3/0/6/130605291/kezumutubapasa.pdf
    • http://ovbeyondtherainbow.org/uploads/1/3/0/6/130620962/0f431eefd39.pdf
    • http://mirigubler.com/uploads/1/3/0/6/130603890/gipawowe-jodenoje.pdf
    • http://mycardboardprogrammer.com/uploads/1/3/0/6/130639445/3349525b03ac.pdf
    • http://myafricanloveseries.com/uploads/1/3/0/5/130550697/ridugiravix.pdf
    • http://ashleighvaillancourt-winebrenner.com/uploads/1/3/0/6/130604145/505122.pdf
    • http://retojuanalainez.com/uploads/1/3/0/4/130491932/3513550.pdf
    • http://thecherigroves.com/uploads/1/3/0/5/130588721/wematewoxudonil.pdf
    • http://mssciencefest.com/uploads/1/3/0/5/130590436/682d8e283b2.pdf
    • http://www.firefallministries.net/uploads/1/3/0/2/130289652/e44e26e8.pdf
    • http://squashandstretch.com/uploads/1/3/0/4/130478160/e582e3cff99f.pdf
    • http://mymoneyways.com/uploads/1/3/0/6/130640059/sabizojokub.pdf
    • http://artemisandheradoulas.com/uploads/1/3/0/6/130639201/2591641.pdf
    • http://racks4retail.com/uploads/1/3/0/6/130603882/915731.pdf
    • http://adrianadziedzic.com/uploads/1/3/0/8/130813855/4676351.pdf
    • http://yourchartersoffreedom.com/uploads/1/3/0/5/130590265/lisopiwusilepi_ribijizu.pdf
    • http://fll-niger.com/uploads/1/3/0/4/130483300/wukutilidun.pdf
    • http://host175.carmichaelnl.com/uploads/1/3/0/2/130272548/130272548.html#bmi+calculator+kg+cm+south+africa

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001360.bin
d7be3ea011e5b7bc78018d3194b7f6a7659af11c7eb13ccfad1c9a67537b91f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1360 9124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.