Malicious PDF — malware analysis report

Static analysis result for SHA-256 048d305dd443c405…

MALICIOUS

PDF

32.7 KB Authoring application: Scribus
MD5: 9bf9dfc722bafe96ba8c810f66bbf547 SHA-1: 779e163fbfa5733f6657b8f869f65d9ef59b0491 SHA-256: 048d305dd443c4054ced91c0a98ab5768d0de77439b688560f39e3ec30f95972
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection as Pdf.Phishing.TtraffRobotInstall. The document contains a mass of embedded external links pointing to other PDF files across numerous domains. The ML classifier also strongly indicated maliciousness. The presence of these links suggests a phishing or SEO spam campaign designed to redirect users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://phraseologychoir.com/uploads/1/3/0/3/130323900/pegegevuwazatubilag.pdf
    • http://lumlatist.com/uploads/1/3/0/6/130605238/0d7ce0baea7ac99.pdf
    • http://mythbay.com/uploads/1/3/0/4/130488696/36fa16d23.pdf
    • http://numeracyshed.com/uploads/1/3/0/6/130639956/9652654.pdf
    • http://mslegalmojacar.com/uploads/1/3/0/5/130540104/limikemaromixuj.pdf
    • http://boshuster.com/uploads/1/3/0/3/130313638/8916346.pdf
    • http://moment2meditate.org/uploads/1/3/0/5/130539300/nolalamomok_xuminuxot_savunezu.pdf
    • http://natgilbert.com/uploads/1/3/0/4/130483963/texez.pdf
    • http://theduiskeinn.com/uploads/1/3/0/6/130639766/1ee422677a.pdf
    • http://reboundat.com/uploads/1/3/0/4/130489523/130489523.html#bailando+english+ringtone

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a1.bin
216bd1200916f4916d148a1947f4ca236de1967df4fe8e59c7cace5d8cd702c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A1 8248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.