Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee97407d7c79d02d…

MALICIOUS

PDF

38.0 KB Authoring application: PDFedit
MD5: 1c193d0c461c217a04773dfe9581b256 SHA-1: 4cde6e0c0ee190100d5b787526739734a1c3adae SHA-256: ee97407d7c79d02dc0a8d84bfe3031b648c6939c006a9678ecf93141cfd195b8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically related to phishing or automated traffic generation. The document body text is heavily obfuscated and does not provide clear user-facing content, but the link farm suggests a lure to external malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://plantcityhomesforsale.net/uploads/1/3/0/3/130323301/zutiguvekura_toberefa_podifonamu.pdf
    • http://mail.diamondcb.com/uploads/1/3/0/6/130620897/44b932.pdf
    • http://geomatch.net/uploads/1/3/0/5/130590702/d63a8.pdf
    • http://scottsmusicco.net/uploads/1/3/0/6/130604723/zopamopuvazavidiv.pdf
    • http://miiasoey.com/uploads/1/3/0/7/130739313/4bec15.pdf
    • http://stitchingkisses.com/uploads/1/3/0/8/130813866/filudinos.pdf
    • http://www.solecobbler.com/uploads/1/3/0/5/130551222/fulosux-wudobu.pdf
    • http://lpcoalition.com/uploads/1/3/0/5/130539111/mositadalozufala.pdf
    • http://petervinthagen.com/uploads/1/3/0/5/130539048/2979578.pdf
    • http://soontravelagency.net/uploads/1/3/0/2/130287238/39b583bafffe.pdf
    • http://kramerbizedu.com/uploads/1/3/0/4/130435947/zepos.pdf
    • http://webdisk.ashleyrawlingsphotography.com/uploads/1/3/0/7/130739423/5413535.pdf
    • http://mediicepaks.com/uploads/1/3/0/3/130313480/wedikepalerafebazar.pdf
    • http://rayaneid.com/uploads/1/3/0/6/130605212/9625899.pdf
    • http://www.international-swagger.com/uploads/1/3/0/2/130287296/9b6d1b.pdf
    • http://hollisharred.com/uploads/1/3/0/7/130740414/buwevegegom-visovosu.pdf
    • http://deventermanueletherapie.nl/uploads/1/3/0/5/130589238/gadagalawukenuw-tewipalixel.pdf
    • http://emilysusan.com/uploads/1/3/0/3/130313200/lapina.pdf
    • http://milexy.com/uploads/1/3/0/6/130640114/2819302.pdf
    • http://74-123-76-170.mgwnet.com/uploads/1/3/0/2/130272485/130272485.html#biotic+and+abiotic+factors+of+rainforest

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003784.bin
ff52d836cf42364b1a3ea137042a54077b18b03a7a995ec67d50a9763aeafa90		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3784 7468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.