Malicious PDF — malware analysis report

Static analysis result for SHA-256 2f2deea630f822e2…

MALICIOUS

PDF

48.9 KB Authoring application: Inkscape
MD5: e8c7c859bbc133ddb6e31da22d148ee3 SHA-1: db6446d69736bff9328d9a968a9884f4e5311072 SHA-256: 2f2deea630f822e2e7cec00ec55c55e0b9885cf975186d16f51d6bc9608ed139
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ClamAV detection and ML classifier strongly indicate malicious intent. The primary attack pattern involves leveraging these links to distribute further content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kilnedsy.store/uploads/1/3/0/6/130620880/lezib_vevapuvigupir_natowazogu.pdf
    • http://anouchka.ca/uploads/1/3/0/6/130605471/tewisufijasukotizol.pdf
    • http://tophatalgarve.com/uploads/1/3/0/6/130621011/f9a19.pdf
    • http://bluemonstercellars.com/uploads/1/3/0/6/130620522/c52cb0693.pdf
    • http://muttleys.ca/uploads/1/3/0/5/130539231/765d8fb2.pdf
    • http://ensurecarehomehealth.com/uploads/1/3/0/6/130604408/a54d0236f0.pdf
    • http://cdn-0.newenglandlighthouses.net/uploads/1/3/0/8/130815582/rawajov.pdf
    • http://dowsonusa.com/uploads/1/3/0/3/130379529/3e6236d25.pdf
    • http://mechx4.org/uploads/1/3/0/8/130874183/guzevavenagoxot.pdf
    • http://xtoid.com/uploads/1/3/0/5/130550983/vopez.pdf
    • http://mtbsiteservicesbusiness.com/uploads/1/3/0/7/130775584/9c1784e.pdf
    • http://huddin.space/uploads/1/3/0/5/130542831/nanogeruvawinasik.pdf
    • http://parksidecafebham.com/uploads/1/3/0/6/130604292/4816815.pdf
    • http://www.caninetrailblazers.com/uploads/1/3/0/7/130776149/3da681a987.pdf
    • http://kingshotelsgroup.devsite-1.com/uploads/1/3/0/6/130604049/130604049.html#acidosis+leads+to+hypokalemia

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004478.bin
b3affdfdfee497c2d3230853582529cf395d265bfdbb8cde7d84ae9c33602211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4478 16036 bytes
font_01_sfnt_off00005891.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5891 2864 bytes
font_02_sfnt_off0000655b.bin
b8118212642850408f4d212d1b73e9fb2fb29c83b994c05b718f8b11868fe2be		 pdf-font-stream PDF embedded font (sfnt) at offset 0x655B 8156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.