Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa7da54def5864e6…

MALICIOUS

PDF

41.6 KB Authoring application: ImageMagick
MD5: e0d9fa1ee8f5d04db66d11a7f0e32b04 SHA-1: 497a6856f9e5ad7a45113adc86b689c763b0a2fa SHA-256: fa7da54def5864e6094a2d009dafa118864249a630e470540f02b7a61f9994e2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF was flagged by multiple heuristics, including a critical finding for a link farm containing 31 external PDF links. The ML classifier also strongly indicated maliciousness. The embedded URLs point to various domains, suggesting a broad distribution or redirection scheme. While no scripts were extracted, the PDF structure and link farm indicate a phishing or SEO manipulation attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://the-city-exchange.com/uploads/1/3/0/7/130739200/wejoz.pdf
    • http://homedeliveryman.com/uploads/1/3/0/5/130540033/folixedenatomig.pdf
    • http://www.saveonweed.club/uploads/1/3/0/4/130477039/21955.pdf
    • http://miawoof.fr/uploads/1/3/0/5/130588478/mugunadoxut.pdf
    • http://www.romseyrooms.com.au/uploads/1/3/0/5/130588380/buxigisidatuf.pdf
    • http://rorybledsoe.com/uploads/1/3/0/4/130476607/buwam.pdf
    • http://synchroski.org/uploads/1/3/0/5/130547142/fenezizufebikoxuk.pdf
    • http://accessmudjimbashores.com/uploads/1/3/0/5/130550970/4032074.pdf
    • http://alexraco.org/uploads/1/3/0/3/130313117/fugoxe_jowexutiguwoni_wopurotufuguwu_jetewibalufapot.pdf
    • http://www.oracleblessings.com/uploads/1/3/0/6/130621744/navomodukilaf.pdf
    • http://laurajentertainment.com/uploads/1/3/0/6/130604145/2f37f2.pdf
    • http://neholidaylight.co/uploads/1/3/0/6/130604348/675205.pdf
    • http://ntwstudioart.com/uploads/1/3/0/6/130620760/fiselorepive.pdf
    • http://sacredhearts.ca/uploads/1/3/0/6/130621664/7208943.pdf
    • http://cmprodetail.com/uploads/1/3/0/6/130639192/749e6017e561d3.pdf
    • http://nivramyoga.com/uploads/1/3/0/6/130604210/ef57d1a5b.pdf
    • http://74-123-76-213.mgwnet.com/uploads/1/3/0/5/130552073/130552073.html#vegetarian+diet+plan+to+lose+weight+fast

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000471d.bin
38bded9a1dc467f0438f0cb23277b8819729409b36ca8bc99401712f38ff9fcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x471D 8164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.