Malicious PDF — malware analysis report

Static analysis result for SHA-256 15571d9e918c44c2…

MALICIOUS

PDF

50.0 KB Authoring application: Inkscape
MD5: a6aa171b70bd91046380ad39bf72cd84 SHA-1: 0b5b5d21c28ddffc20e15dc4385f92f051700c11 SHA-256: 15571d9e918c44c2fa384ba046dc06642fcc327ae62d559a4c2829f1e2c753af
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to distribute malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as phishing. While no scripts were explicitly extracted, the PDF structure and embedded URLs suggest an attempt to redirect the user to malicious content, likely as part of a phishing campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dal.1posvetu.com/uploads/2020/01/29/cb71807.pdf
    • http://sukojer.ktosvoboden.com/uploads/2020/01/28/tadapodenugav.pdf
    • http://nixe.pmwork.ru/uploads/2020/01/28/wivab-xifigimumosanoj-tosurotu.pdf
    • http://dickersonconstruct.com/uploads/1/3/0/2/130271116/digufexikefudit.pdf
    • https://jeselexejejofan.weebly.com/uploads/1/3/0/2/130273623/6605249.pdf
    • http://fupu.wisdom-olga.ru/uploads/2020/01/28/3cc762b.pdf
    • http://diba.funblog.online/uploads/2020/01/27/9535315e341b.pdf
    • http://dax.otvetrelax.ru/uploads/2020/01/27/vutibonimix_zaxifovipop.pdf
    • http://luzazizur.podarysam.ru/uploads/2020/01/27/tapuw-fozopuxisuto-fadineluk.pdf
    • http://les-vareuses-a-dreuz.bzh/uploads/1/3/0/4/130435941/6406989.pdf
    • http://cfthomas.com/uploads/1/3/0/6/130621179/130621179.html#examen+comipems+2018+pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001341.bin
4ef91a724f1003f8e4f0f9fd6376957913a1cf18e0ed2b5b300fdc461ceec759		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1341 10064 bytes
font_01_sfnt_off00008071.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8071 2616 bytes
font_02_sfnt_off000088f1.bin
211ed2a624361a0f5f6333a9b24b37087347677bff3bc721dabe9d76fc845ca6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88F1 1828 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.