Malicious PDF — malware analysis report

Static analysis result for SHA-256 0c03e2ff13dbcc17…

MALICIOUS

PDF

48.0 KB Authoring application: GIMP
MD5: 1d4205faea615c24ff0ce0890f9a574a SHA-1: d4e6c549d7984d1c33d2377bd860822015760687 SHA-256: 0c03e2ff13dbcc1755c795a4f200bd9ddb67dbf743b64f73029c7bf197bb3ed1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, and an ML classifier also flagged it as malicious. While no scripts were directly extracted, the embedded URLs are the primary indicators of malicious intent, suggesting a phishing or content distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.jamesroxbystewart.com/uploads/1/3/0/8/130814132/35ca116.pdf
    • http://tjbrantley.com/uploads/1/3/0/7/130738741/jekev-toludadumugabix-toxubefusiga.pdf
    • http://djsacademy.com/uploads/1/3/0/5/130588594/moxupugidudexod-topogawodoso-wemaruzixunuxob-tiluvukev.pdf
    • http://thaochibi.com/uploads/1/3/0/5/130590457/tarabiroxekuzafedut.pdf
    • http://philadelphiaprek.com/uploads/1/3/0/7/130739867/kevug-vudolawofolo-ravimeximale-kunuzejotozoda.pdf
    • http://mgbbsewing.com/uploads/1/3/0/7/130739632/3581672.pdf
    • http://realrecruit.co.uk/uploads/1/3/0/5/130544009/9821507.pdf
    • http://nortonbio.com/uploads/1/3/0/2/130289254/divakuk.pdf
    • http://yourstoryof.com/uploads/1/3/0/4/130488661/dd52140.pdf
    • http://jeffk.ca/uploads/1/3/0/6/130621854/984552896e5b227.pdf
    • http://derryfieldrepertorytheatre.org/uploads/1/3/0/4/130490053/266974.pdf
    • http://www.pulsestudiosgames.com/uploads/1/3/0/6/130603922/miradobunuri.pdf
    • http://michaelfilipelli.com/uploads/1/3/0/3/130324289/pisazorako_fupozipu.pdf
    • http://nevermetapodcast.com/uploads/1/3/0/5/130540172/nukezake_xojaxosetuxiwa_vekobiz_gutizugivivow.pdf
    • http://bestppcpublishing.com/uploads/1/3/0/7/130775604/fugadem.pdf
    • http://thehangaruk.co.uk/uploads/1/3/0/7/130739747/086a0096ea0.pdf
    • http://aquapearl.studio/uploads/1/3/0/7/130775557/4e8ea8327.pdf
    • http://newoutsiderart.com/uploads/1/3/0/4/130476396/24674.pdf
    • http://restouch.com/uploads/1/3/0/6/130621782/buvugifiwa_pomipo_xojegatebopu.pdf
    • http://sunandmoonpublishing.com/uploads/1/3/0/3/130313504/8611364.pdf
    • http://la-mancha.org/uploads/1/3/0/2/130291783/nofobixu-vetuwula-bufem-tugiwofawev.pdf
    • http://whiteboardsandwanderlust.com/uploads/1/3/0/4/130436289/5ec2e0351.pdf
    • http://hairyourwaygr.com/uploads/1/3/0/4/130436054/mowabixorowud-rebufinizidazis.pdf
    • http://whitechocolategrille.com/uploads/1/3/0/3/130313103/4f297f7c56.pdf
    • http://modernpainrelievers.com/uploads/1/3/0/2/130292073/130292073.html#%C3%BCbungsaufgaben+ableitungen+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003355.bin
985cbd9ba5b629f1b749d04d852c0eecb5d8ad374186a1044a60da9476420dc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3355 2788 bytes
font_01_sfnt_off00003c94.bin
319f9c996375511bbe969d0b76506a2162f7d522988cd2631b41a5a1e417b94d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C94 16040 bytes
font_02_sfnt_off0000544c.bin
6be3e3b365ca54d064978da37600b29902a6b0344c54eef0f52ab9e85bbfeb3b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x544C 9520 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.