Malicious PDF — malware analysis report

Static analysis result for SHA-256 1902db6954531ea7…

MALICIOUS

PDF

51.3 KB Authoring application: Inkscape
MD5: 4d3f9e82b1dc320bbef5986e28bdd4a9 SHA-1: 156c6468f7dada5c6a9f6ef1e94e3ab5eca0dcc0 SHA-256: 1902db6954531ea78517c9246a74e0593a754c2341a5a60a295728830aea65c0
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, consistent with a phishing or content distribution scheme. No scripts were extracted, but the sheer volume of linked external PDFs suggests a coordinated effort to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beachampion2.com/uploads/1/3/0/3/130312971/favedumisi_lulen.pdf
    • http://cdn-2.fuzzfaced.net/uploads/1/3/0/7/130740547/7014972.pdf
    • http://rotten.red/uploads/1/3/0/2/130288551/lalij.pdf
    • http://jumpforjoysanantonio.com/uploads/1/3/0/3/130324320/801310415f14.pdf
    • http://drhiura.net/uploads/1/3/0/5/130589261/1687394.pdf
    • http://realliferecords.com/uploads/1/3/0/4/130483617/e567d20.pdf
    • http://nzcarcovers.com/uploads/1/3/0/7/130739544/0f58f4932d5476.pdf
    • http://mothermoxie.com/uploads/1/3/0/5/130588653/mutuxilediwe-nevanikev.pdf
    • http://dandeliontrade.com/uploads/1/3/0/7/130776230/5492124.pdf
    • http://madewithlasers.net/uploads/1/3/0/4/130435524/b920fc94e173.pdf
    • http://kimchibabe.com/uploads/1/3/0/4/130476586/powegebopesa_xajotad_zeseb_wexotixodowupub.pdf
    • http://www.forsalebyownerdiscount.com/uploads/1/3/0/2/130271259/43508.pdf
    • http://ginnyenbodyrealty.com/uploads/1/3/0/2/130270895/b2809.pdf
    • http://mjacoby88.com/uploads/1/3/0/2/130272988/3dee653becc50.pdf
    • http://bslartquilts.com/uploads/1/3/0/7/130776183/2f1712b87664.pdf
    • http://ashleyandjeffery.com/uploads/1/3/0/7/130775880/dixunened-zomisizebe.pdf
    • http://tomlost.com/uploads/1/3/0/8/130874286/kijuvavumobefanewona.pdf
    • http://michellejestersite.com/uploads/1/3/0/2/130289279/lagexulanakukimujo.pdf
    • http://merx-group.com/uploads/1/3/0/6/130604499/5a107.pdf
    • http://avhealthcarenews.net/uploads/1/3/0/5/130543764/d12debda8.pdf
    • http://mydsasecurity.com/uploads/1/3/0/2/130272484/283631.pdf
    • http://hillcountryhr.com/uploads/1/3/0/2/130272395/60c85fdd9b78e.pdf
    • http://s9kfv.slpny.com/uploads/1/3/0/9/130969462/130969462.html#agile+scrum+master+training+hyderabad
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f56.bin
42d731d60030b177a0dd4f3e23aafb516e01b436d58766b12b14ed7eec0d9d34		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF56 8496 bytes
font_01_sfnt_off00006fa2.bin
32b54217619f9438721b423dc2f4f4da0f78781b0811ea49af2be6b0310ecf56		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FA2 16164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.