Malicious PDF — malware analysis report

Static analysis result for SHA-256 12e97422f54413ff…

MALICIOUS

PDF

41.1 KB Authoring application: Karbon
MD5: 537a714324dc5afa3c746117e3524b8f SHA-1: 4762b8598c75da497a3069931c868b559f44cfa8 SHA-256: 12e97422f54413ff2e3f6c2f32ed086fe8345734d0e9ff2643421ed0cd19e964
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of algorithmically generated URLs, indicating a link farm designed to redirect users. The ClamAV detection and ML classifier strongly suggest malicious intent, likely for phishing or distributing further malware. No scripts were extracted, but the embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mid-atlanticmountainworks.com/uploads/1/3/0/5/130543170/7020136.pdf
    • http://brendanfletcher.com/uploads/1/3/0/6/130639851/1919094.pdf
    • http://annettebarkerabundantlyblessedministries.com/uploads/1/3/0/9/130969085/furojavexokeb_sidekibug_goxagowur.pdf
    • http://queenalexandra78ave.com/uploads/1/3/0/4/130475996/94cef3bbba54.pdf
    • http://mypups4u.com/uploads/1/3/0/5/130550903/xesif.pdf
    • http://asianmag.net/uploads/1/3/0/5/130539437/f9b40adec334.pdf
    • http://cornwallcrickettrust.org/uploads/1/3/0/6/130604024/forexuropuj.pdf
    • http://addingtonfinancial.com/uploads/1/3/0/6/130604401/seguxipimubod-fafixevabuset.pdf
    • http://accesevaluation.com/uploads/1/3/0/6/130603763/kajagakazapa_xaxulubobaze_tuvitagafas.pdf
    • http://qianqianpig.com/uploads/1/3/0/5/130543996/4234742.pdf
    • http://brawlinfo.com/uploads/1/3/0/5/130543020/2c276dd0799.pdf
    • http://infinitegesture.com/uploads/1/3/0/2/130289662/repipiwinurosi-gawoxoworamoxi-kavugo.pdf
    • http://digitaldissident.com/uploads/1/3/0/6/130604962/moselulomoken.pdf
    • http://dzwiekochmura.com/uploads/1/3/0/6/130639036/7470567.pdf
    • http://buygreatedibles.com/uploads/1/3/0/6/130604226/reniwefobovuso_xikeforugoto.pdf
    • http://mydiabbyhc.com/uploads/1/3/0/6/130604878/gapad_vumiratali_relowiduxapo.pdf
    • http://spiritjooga.com/uploads/1/3/0/6/130620603/b90accfe5d77.pdf
    • http://tuitionhotsauce.com/uploads/1/3/0/6/130639971/130639971.html#air+force+paper+x+group+2018
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002cc6.bin
577b20a5af0f8cb810b0a5bca7c5b5be2034ce13f15e94cfd735e15b31700d36		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2CC6 7684 bytes
font_01_sfnt_off0000437e.bin
3fde23e35516e9f80330ce577f7718948083781e3a96fc05b9f93e35df8255a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x437E 7968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.