Malicious PDF — malware analysis report

Static analysis result for SHA-256 0b28a35b0af4fb21…

MALICIOUS

PDF

40.2 KB Authoring application: Inkscape
MD5: 56cfbf7c9c843402b3bfb432874b7150 SHA-1: 904e14964cf7ad29c350a67da534ad0222242227 SHA-256: 0b28a35b0af4fb21099d95aef98e834479e5ca70fe22ef6d615a9c653d6f7140
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files hosted on various domains, indicating a link farm or distribution mechanism. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall, and ML classifiers also flagged it as malicious. The embedded URLs are the primary IOCs, suggesting the document's purpose is to redirect users to potentially malicious or SEO-manipulated content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michkah.com/uploads/1/3/0/4/130476244/dotixewepudoseto.pdf
    • http://barbadiancanadians.com/uploads/1/3/0/2/130288419/redutodelibanef_naxesewovewu_lunumejisoj_kuxuvuxovix.pdf
    • http://tickled-ink.co.uk/uploads/1/3/0/2/130270937/zaxolamotamuvomexiz.pdf
    • http://emilyburdettphotography.com/uploads/1/3/0/5/130551067/8b39ec2.pdf
    • http://newearthwarrior.org/uploads/1/3/0/4/130491181/4115972.pdf
    • https://radozugenapu.weebly.com/uploads/1/3/0/3/130323594/fataguganuxekusaloxe.pdf
    • https://fakiwasekus.weebly.com/uploads/1/3/0/3/130379060/c34694f04.pdf
    • http://re-electgregbeck2018.com/uploads/1/3/0/2/130289508/1927608.pdf
    • http://ronavifado.mywaycreative.art/uploads/2020/01/28/nokofedanidume.pdf
    • http://sanderwesdijk.weebly.com/uploads/1/3/0/3/130324075/loliworolefutukuzi.pdf
    • http://mountyhorseandsports.com/uploads/1/3/0/4/130436258/433fc9.pdf
    • http://053748270.com/uploads/1/3/0/4/130476243/5205096.pdf
    • http://radioevasi.com/uploads/1/3/0/6/130639859/7622761.pdf
    • http://laketanglewood.net/uploads/1/3/0/3/130323527/3abf61e5913b46d.pdf
    • http://zitesideda.sloto-cash.ru/uploads/2020/01/28/8220639.pdf
    • http://messiniako-catering.com/uploads/1/3/0/6/130621153/fulifeju.pdf
    • http://konak9.com/uploads/1/3/0/6/130621569/2cb4403.pdf
    • http://meshayla.com/uploads/1/3/0/6/130604689/130604689.html#nice+guidelines+sepsis+lactate

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014c7.bin
b19cbff179c53c42d0f8d2f934c805c9dba0845607683b323490a7554d5d51fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14C7 7508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.