Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee22872144effc7e…

MALICIOUS

PDF

41.7 KB Authoring application: Smallpdf Desktop
MD5: d1e0a2775250cc4f376a204de005aa54 SHA-1: 60cf7597915c4480e306bde93b53db55fa349363 SHA-256: ee22872144effc7efa4db89f0c19a4edd6ccb352c9e026284f87d251061e2066
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The PDF contains a large number of embedded external links pointing to other PDF files hosted on various domains, indicating a link farm or a distribution mechanism for further malicious content. The document body itself appears to be corrupted or contains irrelevant text, but the primary malicious activity is the mass linking.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nextlevelbizgrowth.com/uploads/1/3/0/7/130738499/nefota-kikuvajonoro.pdf
    • http://ngravinggifts.shop/uploads/1/3/0/8/130874413/3965985.pdf
    • http://kmradvisers.com/uploads/1/3/0/4/130435821/6851565.pdf
    • http://bankerator.com/uploads/1/3/0/5/130543816/b30a8ca45.pdf
    • http://samuelyusuf.com/uploads/1/3/0/5/130550936/sokawojibir-lafemebod-tezezowaso-pugagu.pdf
    • http://www.groundbreakingconstruction.net/uploads/1/3/0/6/130604757/8870423.pdf
    • http://www.lakshmananand.net/uploads/1/3/0/6/130639364/87088.pdf
    • http://bolam.truedesignscs.com/uploads/1/3/0/4/130489914/wexuxezifudodujesoso.pdf
    • http://whyusehghgel.com/uploads/1/3/0/3/130313748/5ebdf8506ca69.pdf
    • http://accomplishquiltingmail.com/uploads/1/3/0/4/130483205/1898483.pdf
    • http://schnore.com/uploads/1/3/0/4/130435998/578fd69513381.pdf
    • http://workbus.com/uploads/1/3/0/7/130775540/gadevoxirazasowobil.pdf
    • http://memoire-alat.fr/uploads/1/3/0/7/130775722/1169808.pdf
    • http://ajoboerenhulp.eu/uploads/1/3/0/7/130738568/sadowafef_devaxejegagu_wexamuwuxodewow_lujabopejofugak.pdf
    • http://maxdurrant.com/uploads/1/3/0/3/130323360/8738090.pdf
    • http://hesheng.f18.ebkf.org/uploads/1/3/0/5/130550952/172f8.pdf
    • http://flourishmychild.com/uploads/1/3/0/3/130379841/vonekurakowipi-nabatubavuf.pdf
    • http://therockstarwithinyou.com/uploads/1/3/0/4/130435601/6876498.pdf
    • http://banjolele.net/uploads/1/3/0/8/130873802/gerirugupifusuf.pdf
    • http://beyondhillco.com/uploads/1/3/0/2/130270945/130270945.html#ubiquiti+nanostation+loco+m2+bridge+mode
    • http://banjolele.net/uploads/1/3/0/8/130873802/geriru

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002e91.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2E91 16036 bytes
font_01_sfnt_off0000457f.bin
9e5c0d7e45c49232e848441800c81faff4320c919b85d78db7a68a116a3b027e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x457F 7484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.