Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdbcd6ced507fcf0…

MALICIOUS

PDF

38.9 KB Authoring application: SWFTools
MD5: 9e2fecb840b5ce6c91e172ad2fd3b2a1 SHA-1: 5081cbf90ad0ff97a3cd34db5e7bac1b306c7d0d SHA-256: fdbcd6ced507fcf07bddd4b7b93462d9651fcb41e0568c855479e3c81e57e066
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious content. The PDF_SEO_LINK_FARM heuristic specifically identified a large number of embedded external links, suggesting a link farm or redirection scheme. The embedded URLs likely lead to phishing sites or further malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://35andunder.com/uploads/1/3/0/7/130776159/faea7fed4ee1e.pdf
    • http://moversdaytonabeach.com/uploads/1/3/0/6/130621596/9117036.pdf
    • http://sno-ops.org/uploads/1/3/0/3/130379921/galoziku_zejejaf.pdf
    • http://nearspaceengineering.org/uploads/1/3/0/6/130604838/xujijiraliku.pdf
    • http://lukeharper.com/uploads/1/3/0/8/130813799/7129919.pdf
    • http://aquaticsspace.com/uploads/1/3/0/7/130739897/6999130.pdf
    • http://getsomestones.com/uploads/1/3/0/6/130639845/9e1d4.pdf
    • http://ramosironworks.net/uploads/1/3/0/5/130589125/54602f422cf8ba.pdf
    • http://westcoastphotoservice.com/uploads/1/3/0/8/130814441/kizejukafuzupan.pdf
    • http://wodate.com/uploads/1/3/0/5/130543816/tumitubi_konatorenisa_dovonigole.pdf
    • http://allsettogo.com/uploads/1/3/0/7/130738978/mexivovolexumed.pdf
    • http://homegrownent.net/uploads/1/3/0/7/130740046/wutipejufirenizurak.pdf
    • http://alternativerealitycbd.com/uploads/1/3/0/2/130274319/92983c7ac5632.pdf
    • http://hostmaster.erincullimore.co.uk/uploads/1/3/0/8/130814129/lirasunilu-sarasul.pdf
    • http://elementhomeaudio.com/uploads/1/3/0/7/130775076/32627db40.pdf
    • http://marcelastraub.com/uploads/1/3/0/5/130550986/851326e3dae959b.pdf
    • http://arty-lab.com/uploads/1/3/0/4/130489175/0befc.pdf
    • http://www.stylebysofi.com/uploads/1/3/0/7/130739719/jekevuxogalidas.pdf
    • http://jesusplusnothing.net/uploads/1/3/0/5/130588258/razud.pdf
    • http://helenabperryfinancial.com/uploads/1/3/0/4/130490461/6088f19ecfb39af.pdf
    • http://bantunation.ca/uploads/1/3/0/7/130740001/1802768.pdf
    • http://otf.brdge.org/uploads/1/3/0/4/130488227/130488227.html#denotation+and+connotation+science+words
    • http://www.stylebysofi.com/uploads/1/3/0/7/130

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038d9.bin
eb6aeb6243dd61af85cff74cc23e585491dbf454c9fc42436cde0158be6827f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38D9 7668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.