Malicious PDF — malware analysis report

Static analysis result for SHA-256 f8657b56a8880cca…

MALICIOUS

PDF

38.6 KB Authoring application: Poppler-utils
MD5: 10a7a0fe8050cfcad140a4473a7a746c SHA-1: 9c09cc6f037026285f355bb1aa0104b5b7fd51e1 SHA-256: f8657b56a8880ccabeadd3e3aa5d2b95c3ed995d2f921792d4ba70d9a73ec8d7
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF documents, a technique often used for SEO manipulation or to distribute further malicious content. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, pointing to 'mjyoga.net' as a dominant host. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier further support the malicious nature of this file. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mirror.netinch.com/pub/apache/
    • http://mjyoga.net/uploads/1/3/0/5/130543476/goxagafobi.pdf
    • http://katiemallen.com/uploads/1/3/0/3/130323697/1309593.pdf
    • http://christianmchoi.com/uploads/1/3/0/5/130543053/kisozuvisaveziri.pdf
    • http://shopnikkibella.com/uploads/1/3/0/3/130323811/ad4b21f7a3348a.pdf
    • http://acts2035.online/uploads/1/3/0/7/130775961/wukibi-kufudediwazajo-luroletodireduw.pdf
    • http://bootstrappingbettys.com/uploads/1/3/0/2/130272291/wuvenedavoju.pdf
    • http://abnerdelnorte.com/uploads/1/3/0/4/130488416/vigitopaxuj_wowulatusom.pdf
    • http://mistyriveriris.com/uploads/1/3/0/4/130436306/zenot-mirigesuretudiz-zorikilogipaji.pdf
    • http://www.boutmybestfriend.com/uploads/1/3/0/7/130776105/2283387.pdf
    • http://sekolahberpikirindonesia.com/uploads/1/3/0/6/130621640/2750837.pdf
    • http://tomlinsonoutdoors.com/uploads/1/3/0/3/130323232/roganosapejati-ziwudo-tisasisujoxobo-diruguzutujobo.pdf
    • http://protechion.us/uploads/1/3/0/2/130287302/salunijovemiba.pdf
    • http://lydia-gaertner.de/uploads/1/3/0/6/130639172/a1adfed8a.pdf
    • http://equilibrium21.online/uploads/1/3/0/5/130539105/mivaba.pdf
    • http://nordicswimming.org/uploads/1/3/0/6/130639024/rebufebidevim.pdf
    • http://alyssaperryinteriors.com/uploads/1/3/0/5/130551957/vogemap.pdf
    • http://deadturnip.com/uploads/1/3/0/7/130739463/3656005.pdf
    • http://www.travelwithcowboyandhippie.com/uploads/1/3/0/6/130605280/a470204a55279.pdf
    • http://redandgreen.net/uploads/1/3/0/7/130776886/pafupibidomujog.pdf
    • http://almosteverything6dollars.com/uploads/1/3/0/5/130543682/eea09f890c.pdf
    • http://www.lilarot-vipshop.eu/uploads/1/3/0/2/130287536/130287536.html#apache+tomcat+9+for+windows+10+64+bit

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000036fe.bin
b9a817ab707186a22361185edf0a6fb4d7aa63a4c9e6078002ceeee2cbbfc87b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x36FE 8020 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.