Malicious PDF — malware analysis report

Static analysis result for SHA-256 f5e28d96219dd21b…

MALICIOUS

PDF

76.9 KB Authoring application: Soda PDF
MD5: f969a4baed57669d277bcec580e65160 SHA-1: 98e3098caf601ff556dc0236c0811c3c82b12417 SHA-256: f5e28d96219dd21b85041b1b66b8abb51c96ff2964c8a3b62ffb286e92c635af
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to a network of domains, each hosting a PDF file with a similar numeric or descriptive slug in the URL. This suggests a coordinated effort to distribute content or redirect users, consistent with phishing or malware distribution campaigns. The ML classifier and ClamAV detection further support the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://meubnb.com/uploads/1/3/0/6/130604322/waxevamizelu.pdf
    • http://neokundalini.org/uploads/1/3/0/5/130588424/zepakaresamoxovak.pdf
    • http://thepowerofthetable.net/uploads/1/3/0/6/130620542/nesewasana-rapafudobuba.pdf
    • http://bethegoodhands.com/uploads/1/3/0/4/130475901/zaxatofoxosuseke.pdf
    • http://routardvirtuel.com/uploads/1/3/0/6/130620300/lopas_kejixokevav_zevetawa.pdf
    • http://relash.us/uploads/1/3/0/2/130288502/jilime.pdf
    • http://anniesdiary.com/uploads/1/3/0/5/130588205/1414866.pdf
    • http://fearlessvisionmarketing.org/uploads/1/3/0/5/130551477/324fda15adda.pdf
    • http://recipework.com/uploads/1/3/0/4/130476145/3368129.pdf
    • http://demikena.aspendo3.ru/uploads/2020/01/28/4d9f95694.pdf
    • http://moabrecycles.com/uploads/1/3/0/4/130483400/a824cd58ac6.pdf
    • http://nursingarmpillow.com/uploads/1/3/0/5/130588613/130588613.html#in+search+of+sisterhood+free

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000138d.bin
0079c30768db8de67eb41a0d72634a80c73c0eea4413f16d4d9bd5e029d89e43		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138D 8616 bytes
font_01_sfnt_off0000e738.bin
a71bf3f5476519d4ba1d2be4aa901cfa45544d6149a0d21e85aa77df8ba2d0fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE738 16412 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.