Malicious PDF — malware analysis report

Static analysis result for SHA-256 f73cdc8ea23337d6…

MALICIOUS

PDF

136.5 KB Authoring application: Serif PagePlus
MD5: a2c496ec0795e768cadbf3719eb8f935 SHA-1: 273e7a464f33eeb86c70665187b3e6966bf0393e SHA-256: f73cdc8ea23337d66786568def469787a522455f7fe37170ded0c90699a3e5ef
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier also flagged this file as malicious. The embedded URLs are likely used to redirect users to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9508

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nicolestampsllc.com/uploads/1/3/0/5/130543545/7526353.pdf
    • http://tanishqspa.com/uploads/1/3/0/6/130604363/5349657.pdf
    • http://blissfulwanderers.com/uploads/1/3/0/2/130271245/kukinutalewo.pdf
    • http://blockchainambassador.ca/uploads/1/3/0/5/130590671/130590671.html#bermuda+lost+survivors++%E0%B8%9F%E0%B8%A3%E0%B8%B5

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012f7.bin
12df86f54bc63dda26d4088ec7aa3bf37d906e1584d08566a6ad783c3072b7a6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F7 9076 bytes
font_01_sfnt_off00007887.bin
a77ba9e813f05696bc7046ea9a50237a5dcc5493c86c3b92fc58201acd00af4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7887 10172 bytes
font_02_sfnt_off00009a2f.bin
94055d042724cde878bfa70930e36624bf873c0d4b470fbab20aa16b158755bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A2F 18052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.