Malicious PDF — malware analysis report

Static analysis result for SHA-256 0401876564952f01…

MALICIOUS

PDF

44.2 KB Authoring application: Scribus
MD5: 48f34025dd4275e9a5867563e07a036d SHA-1: 3606cf403de602ab5a472f7a845d464d8125f4ff SHA-256: 0401876564952f01168bd3ea6b8b999c46fd86db23b7db61a8068d88d67d1369
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was flagged by multiple heuristics, including a critical rule for a large external PDF link farm and a ClamAV detection for phishing. The document body contains numerous URLs pointing to PDF files on various domains, suggesting a campaign to distribute content or manipulate search engine results. No scripts were extracted, but the sheer volume of external links indicates a malicious intent to redirect the user to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://runiz.nikulin-ildar.ru/uploads/2020/01/29/zujewemaf-kinowawagu-seral.pdf
    • http://strawberrygoosephotography.com/uploads/1/3/0/5/130544067/620243.pdf
    • http://merole.vizitki-listovki.ru/uploads/2020/01/27/71f9cb9c0.pdf
    • http://mdslearnderm.com/uploads/1/3/0/5/130588467/razagezepufiki.pdf
    • http://knvanna.ru/uploads/2020/01/27/4786390.pdf
    • http://reneteassuredtitleagency.us/uploads/1/3/0/5/130588394/pozeg-gixike-zeridelufi.pdf
    • http://occulterictees.com/uploads/1/3/0/3/130379503/jerefiwe-betaditobe.pdf
    • http://audio-start44.icu/uploads/2020/01/27/gapilelasut-musogamivame-dolowun.pdf
    • https://zuwalamololi.weebly.com/uploads/1/3/0/3/130312976/cab7f59bd6.pdf
    • http://derodox.qayl.club/uploads/2020/01/27/9396800.pdf
    • http://fig.multiclimat.ru/uploads/2020/01/28/7105875.pdf
    • http://mijnheerdegroot.nl/uploads/1/3/0/5/130551116/293ae3.pdf
    • http://oregonap.com/uploads/1/3/0/5/130550980/7354988.pdf
    • http://rootfivefarm.com/uploads/1/3/0/5/130539311/2c70d.pdf
    • http://xudufivo.alkovozim.com/uploads/2020/01/27/giwadi.pdf
    • http://kelleyssprinklerandlandscaping.com/uploads/1/3/0/4/130489958/vosuzosuvaz.pdf
    • http://confidentbusinesssuport.com/uploads/2020/01/27/norunugobu-fitafumiji-tibipatizir.pdf
    • http://moodlabnewlife.nl/uploads/1/3/0/2/130273801/130273801.html#autopsy+report+on+bc+killers
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014d8.bin
9a157d12b2fdb542b86810b922b28f08b51a1ab032739e4ae4e6629b3e59ff76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14D8 7616 bytes
font_01_sfnt_off00006397.bin
598b436daaf3d122157f8aae4d95cb5f98998d7541b527c84c982bd0659a624f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6397 16888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.