PDF malware analysis — malicious · 11822c1557e9bd4d

MALICIOUS

PDF

63.1 KB Authoring application: Scribus

MD5: ca6e575c19232bee7ea9aba013fb5e43 SHA-1: 1cb2ad0507fd266e29641d354c2d61888d7d11a7 SHA-256: 11822c1557e9bd4d1018c91de276a63ae80ac2d86257ffab136834b2f53f84c5

152 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified as a link farm. This technique is often used for SEO manipulation or to distribute further malicious content. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and a high ML classifier score further support its malicious nature. The document body is heavily obfuscated and does not provide clear textual intent.

Machine Learning

Nyx PDF Classifier malicious score 0.9992

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://tattletalesboutique.com/uploads/1/3/0/4/130488547/muxuwejujinade_wokumufiri_kiwivi_dosobezepodu.pdf
- http://certifiedrna.com/uploads/1/3/0/4/130488163/saforexozeb.pdf
- http://immigration-attorneys-chicago.com/uploads/1/3/0/2/130288986/2761e05d1700.pdf
- http://myblueprintforchange.com/uploads/1/3/0/5/130539215/javujobemimemix.pdf
- http://ketosupplements.us/uploads/1/3/0/9/130969791/530559.pdf
- http://www.stackhousepublishingllc.com/uploads/1/3/0/5/130550997/90f7b397b0c2e79.pdf
- http://100womenwhocarensc.com/uploads/1/3/0/7/130775830/buxuti.pdf
- http://thebodyvault.shop/uploads/1/3/0/4/130488398/29005c2c.pdf
- http://criptohousepanama.com/uploads/1/3/0/6/130620441/3851660.pdf
- http://jamaicalandoffilm.com/uploads/1/3/0/6/130605229/topejelixiben_fonajanumotobex_vozokofotum_jugex.pdf
- http://charleschien.com/uploads/1/3/0/3/130313183/kufililan.pdf
- http://www.danstirratt.com/uploads/1/3/0/7/130775780/7225f03f544.pdf
- http://neben-an.ch/uploads/1/3/0/7/130739806/gemaxesexa.pdf
- http://computatumservices.net/uploads/1/3/0/4/130476243/639502.pdf
- http://chrisministries.com/uploads/1/3/0/6/130639672/2896d430ece5.pdf
- http://araaragot.com/uploads/1/3/0/8/130873983/1474009.pdf
- http://www.prozenglobal.com/uploads/1/3/0/3/130324063/xukejarogo.pdf
- http://adaptodis.com/uploads/1/3/0/2/130289466/68a7042822.pdf
- http://corvuspress.net/uploads/1/3/0/2/130272234/momuwujovatuveduz.pdf
- http://aerogreen.solutions/uploads/1/3/0/7/130738837/3512182.pdf
- http://adsl-65-43-110-209.carmichaelnl.com/uploads/1/3/0/2/130287862/130287862.html#khong+doc+duoc+file+pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000683e.bin` `27aad4e7100ae85831cc1a9cf4859e84521ff6b1ee9ac199fa10e6c4d4b25dad`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x683E	2736 bytes
`font_01_sfnt_off0000731e.bin` `3fc7f218adc38bfae3bd679fdc3cea5baece7d858b8fa2f5126a1be9b793ad93`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x731E	24420 bytes
`font_02_sfnt_off000094f7.bin` `1bc873258334692a216d890616bc7a3e89f8cc80338e434227f110d9407f1a90`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x94F7	10892 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.