Malicious PDF — malware analysis report

Static analysis result for SHA-256 1994dfb915f9e57c…

MALICIOUS

PDF

42.9 KB Authoring application: Inkscape
MD5: 9055dd0f8abae46a3554cfb13617075f SHA-1: f560313bc132788131d3471a0c5380083d0ac961 SHA-256: 1994dfb915f9e57c0ef3155550c3c63b9aed39eba7e96ec6d64101672bdb8c64
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document was flagged by multiple heuristics, including a critical finding for a large external PDF link farm and ClamAV detection as phishing malware. The embedded URLs, such as http://www.avila-vs-leukemia.com/uploads/1/3/0/4/130436093/savejimofekepidot.pdf, suggest a phishing or malware distribution campaign. Although no scripts were explicitly extracted, the PDF structure and link farm indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.avila-vs-leukemia.com/uploads/1/3/0/4/130436093/savejimofekepidot.pdf
    • http://raymondjhoward.com/uploads/1/3/0/9/130969841/5130006.pdf
    • http://kamicogroup.com/uploads/1/3/0/6/130604635/e945acd1487a8b.pdf
    • http://bootcampandfitnessworkouts.com/uploads/1/3/0/5/130588473/7268194.pdf
    • http://stargazegirlz.com/uploads/1/3/0/6/130621758/331316.pdf
    • http://www.pastorenmiami.com/uploads/1/3/0/7/130775321/4619584.pdf
    • http://www.vidafitnessparis.fr/uploads/1/3/0/7/130775627/a6a533.pdf
    • http://resurrectionmuseum.com/uploads/1/3/0/5/130539843/fufosapokadelo.pdf
    • http://mail.lincolncountychiro.com/uploads/1/3/0/2/130287845/28667bcbcef2bd.pdf
    • http://mail.babel-coaching.com/uploads/1/3/0/3/130379216/gapamuwakiseg.pdf
    • http://neverdonefiberfarms.com/uploads/1/3/0/5/130589286/ruzasoribefavapum.pdf
    • http://airbreather.net/uploads/1/3/0/5/130550657/xotinamibame.pdf
    • http://delamaree.com/uploads/1/3/0/2/130273616/bebijidavo.pdf
    • http://rentsfnow.net/uploads/1/3/0/2/130288644/polaga.pdf
    • http://iwontbesilenced.com/uploads/1/3/0/6/130640111/xoxat-xemewenojiven-mofakuxezilaw-xibomenopalum.pdf
    • http://mx.nostalgicbeautyphotography.com/uploads/1/3/0/7/130739624/61b8ef33f.pdf
    • http://novamedia.dk/uploads/1/3/0/2/130271102/jomojelum-zidewujumaru-wisoniramu-zetagubele.pdf
    • http://mothcrafted.com/uploads/1/3/0/5/130550827/rixazojibutefawa.pdf
    • http://globalproportions.com/uploads/1/3/0/2/130289158/a0be7ac6.pdf
    • http://angusmaciverbuildingsupplies.co.uk/uploads/1/3/0/7/130775626/8b5d7fe30be.pdf
    • http://ddct-14-4-crs-4g-100m.pleasingfood.com/uploads/1/3/0/6/130621461/130621461.html#structural+functionalism+theory+slideshare
    • http://fontawesome.iohttp://fontawesome.io/license/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003c9e.bin
1a3ebf7f70dfdc21905c3fbff2d86b968b5d5a7deb25e22b56ce8ccba111afab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C9E 1972 bytes
font_01_sfnt_off00004813.bin
6c4b952b828bbbce0edb6a520be8bc5742125aa29e723fe7661d677dadfe0e44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4813 7876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.