Malicious PDF — malware analysis report

Static analysis result for SHA-256 175c83f1a8cdaa4f…

MALICIOUS

PDF

46.3 KB Authoring application: Scribus
MD5: dff3b05a5d1444778d350a1d2c3cc1f6 SHA-1: 681bc5e2a70e96e1bca8c8a0653f3dc9201b9f2d SHA-256: 175c83f1a8cdaa4f942251f8899d3bd0dd8412a0f8b05386c5b2891113598d9c
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified as a link farm, which is a common technique for distributing malware or conducting phishing attacks. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or redirecting users to malicious content. No scripts were extracted, but the presence of numerous URLs suggests a redirection-based attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pureelegancesalonandtattoo.com/uploads/1/3/0/6/130604631/da4587e2b1.pdf
    • http://homebrewershirts.com/uploads/1/3/0/6/130604102/zagaxoxegubug-nuvepopetaxapug-duterikib-wupof.pdf
    • http://hughessolarenergy.net/uploads/1/3/0/8/130874593/9c9b177a.pdf
    • http://amberbridgesmith.com/uploads/1/3/0/4/130490151/logog.pdf
    • http://christianhartsough.com/uploads/1/3/0/8/130874370/6349cc9a2e36890.pdf
    • http://tastingfair.ca/uploads/1/3/0/5/130551324/62b41d95dc2752e.pdf
    • http://stlshrinerslimbreconstruction.com/uploads/1/3/0/4/130476146/fuxop.pdf
    • http://denverbikeblog.com/uploads/1/3/0/5/130550722/gedixupadi_goromip_polopalovilen_wejazonedana.pdf
    • http://royal-honeys.com/uploads/1/3/0/2/130289493/d9c3fd.pdf
    • http://turnred.com/uploads/1/3/0/4/130436165/tibisowobunulu-surifejeniribu-zubesaw.pdf
    • http://lineaamericana.com/uploads/1/3/0/6/130620902/wovegenebowulewalo.pdf
    • http://porktexas.com/uploads/1/3/0/5/130541285/327120aeb08b.pdf
    • http://cahabagrand.com/uploads/1/3/0/5/130551179/d2998bfc68d20.pdf
    • http://crewsmerz.com/uploads/1/3/0/5/130551700/8527363.pdf
    • http://equitytradinglabs.org/uploads/1/3/0/5/130538950/kozanu_monuxezetugevu_gimumoboxovob_ziwolavemiza.pdf
    • http://noahandangela.com/uploads/1/3/0/5/130540477/464aad2a9612a.pdf
    • http://adoptme.info/uploads/1/3/0/6/130605159/9037699.pdf
    • http://ronmo.com/uploads/1/3/0/2/130271137/6594046.pdf
    • http://nsainapparel.com/uploads/1/3/0/2/130271139/e96e423d68c.pdf
    • http://thecursed.com/uploads/1/3/0/8/130813146/werovikixifene.pdf
    • http://necoraindustries.com/uploads/1/3/0/6/130622058/ff05d118dd.pdf
    • http://one21i.com/uploads/1/3/0/6/130604222/daritesatulijufok.pdf
    • http://flyfish-ng.com/uploads/1/3/0/4/130483751/bemonepemeg.pdf
    • http://bsa-sccc-pack301.com/uploads/1/3/0/6/130621859/130621859.html#gta+san+andreas+max+weapon+skill+cheat+pc

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000050d4.bin
cdd11a0a573e8df7d2b74e224ca7000b84162b4f6f8831c4ae17433803b92851		 pdf-font-stream PDF embedded font (sfnt) at offset 0x50D4 8696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.