Malicious PDF — malware analysis report

Static analysis result for SHA-256 2280e3b444ee95af…

MALICIOUS

PDF

82.8 KB Authoring application: Inkscape
MD5: d4691f6fdcc166956a77803ab1d14dd4 SHA-1: f49b575e3bded7e9c8a05dc8f44dc3f347caefa8 SHA-256: 2280e3b444ee95af36f949de4a4ce27b1d1d7a3f8b71ff3923f750a5e4aecec8
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body contains seemingly random text, suggesting it is not intended for human consumption but rather to host the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jennygayle.com/uploads/1/3/0/5/130550785/godiwidunef.pdf
    • http://macprompter.net/uploads/1/3/0/4/130490181/rowudokum.pdf
    • http://nishadalaruzmani.net/uploads/1/3/0/3/130323251/f6f9547de55a.pdf
    • http://setfreeindeed.com/uploads/1/3/0/7/130740221/6712272.pdf
    • http://www.mydgphoto.com/uploads/1/3/0/7/130740572/wazopememolaf.pdf
    • http://www.aupairanswermom.com/uploads/1/3/0/4/130483513/8972821.pdf
    • http://aikhme.com/uploads/1/3/0/4/130483515/309521.pdf
    • http://isaacbarrios.com/uploads/1/3/0/9/130970006/de0b211c6e.pdf
    • http://nancyrancher.life/uploads/1/3/0/5/130590481/defuvedegov.pdf
    • http://doyouforyounow.com/uploads/1/3/0/7/130738881/5273b29.pdf
    • http://wamits.net/uploads/1/3/0/6/130620673/3864094faadf1.pdf
    • http://trust-trade.net/uploads/1/3/0/2/130287242/wisepagorele.pdf
    • http://montebellonotarypublic.com/uploads/1/3/0/5/130589241/marisa.pdf
    • http://www.lovebystasia.com/uploads/1/3/0/6/130639059/0b66f.pdf
    • http://mrglows.com/uploads/1/3/0/5/130543198/2652955.pdf
    • http://paninternationalllc.com/uploads/1/3/0/6/130622104/2944b5c5b2.pdf
    • http://www.ancoatsdeli.com/uploads/1/3/0/2/130291552/pevuwalog-ritobiwazore-nabijeje-fuzokifudames.pdf
    • http://moonshot.games/uploads/1/3/0/8/130814190/nanomubexuvidog.pdf
    • http://suckingatlife.com/uploads/1/3/0/3/130313359/6505981.pdf
    • http://azairparks.com/uploads/1/3/0/5/130588388/majotaketilaker.pdf
    • http://www.briaswaringam.com/uploads/1/3/0/8/130814088/4698449.pdf
    • http://sarahgillprojectmanagement.com/uploads/1/3/0/4/130489162/nifexi-vuxupi-xupifeso-warumifop.pdf
    • http://www.lusoexclusive.com/uploads/1/3/0/5/130539350/baravewadu_xerodij.pdf
    • http://raunig-family.rominastiebenphotography.com/uploads/1/3/0/3/130323161/130323161.html#denon+avr-x3300w+firmware+update+2019

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000547e.bin
ce1781de356c033a47fcf018ec4039e8bfdb0011297a739c3516681b2b32d919		 pdf-font-stream PDF embedded font (sfnt) at offset 0x547E 9224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.