Malicious PDF — malware analysis report

Static analysis result for SHA-256 3796305ec19e32a4…

MALICIOUS

PDF

34.5 KB Authoring application: Scribus
MD5: f6afb8cb5da38b93e91a1d5552e29f47 SHA-1: 5ef17e8cec2b490c5cc40543a87f15b7fd10863a SHA-256: 3796305ec19e32a4b59cbbc18f4c3cfb801258634143d2c3a3411a01454dd820
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a mass external link farm, directing users to numerous PDF files hosted on various domains. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically identified as phishing and potentially distributing malware. The embedded URLs likely serve as lures to download further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://apocalypse.shop/uploads/1/3/0/7/130739924/8002662.pdf
    • http://manwithgunband.com/uploads/1/3/0/5/130590596/7423157.pdf
    • http://wizteamwork.com/uploads/1/3/0/7/130739144/3002194.pdf
    • http://chrismfwise.com/uploads/1/3/0/6/130622104/ef4690a.pdf
    • http://comalcommunityband.net/uploads/1/3/0/7/130739070/vabufugax-rawan.pdf
    • http://ownnil.com/uploads/1/3/0/5/130588347/408407.pdf
    • http://expiredcompanies.com/uploads/1/3/0/8/130813117/197c3d88514f.pdf
    • http://poppitt.org/uploads/1/3/0/2/130272291/6427518.pdf
    • http://threepalmsrvpark.com/uploads/1/3/0/6/130620197/1194084.pdf
    • http://minjukim.com/uploads/1/3/0/5/130588278/3930605.pdf
    • http://bodyworkbybarb.com/uploads/1/3/0/7/130774972/130774972.html#clinical+examination+of+respiratory+system+video
    • http://expiredcompanies.com/uploads/1/3/0/8/130813117/197c3d

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000031cb.bin
323327c5a9986aa19315f284631f1ec9ce971b7b37d233e69cc29d0fde8e76d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x31CB 7692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.