Malicious PDF — malware analysis report

Static analysis result for SHA-256 37a4818ba27cea07…

MALICIOUS

PDF

33.5 KB Authoring application: Inkscape
MD5: a3323ab24dee251ef6d552ac8436a3a8 SHA-1: 60be05f0492bcacb49a9c76728c60b9deafe7220 SHA-256: 37a4818ba27cea0725eca40ab6b179b87b82615bd8d22eb3963f32d4424fce83
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The primary attack pattern observed is a link farm, with numerous embedded URLs pointing to external PDF files. This technique is often used for SEO poisoning or to distribute further malicious payloads. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://swimleftlabs.com/uploads/1/3/0/2/130291922/8681134.pdf
    • http://szconstructionweimartx.com/uploads/1/3/0/6/130620853/e58f2b.pdf
    • http://crawlspaceencapsulations.com/uploads/1/3/0/4/130483617/6284371.pdf
    • http://alaskaandhacheries.com/uploads/1/3/0/3/130323151/ad1f8357750.pdf
    • http://thekashempire.com/uploads/1/3/0/6/130621570/dasedokubizejorif.pdf
    • http://isellthis.net/uploads/1/3/0/6/130620868/1683717.pdf
    • http://iwishicoulddraw.com/uploads/1/3/0/6/130639994/4834766.pdf
    • http://torrezion.com/uploads/1/3/0/6/130604533/madodogi-mulewer.pdf
    • http://we-are-wild-arcticdogs.com/uploads/1/3/0/6/130620813/9350305.pdf
    • http://koolcompanies.com/uploads/1/3/0/5/130547527/3396129.pdf
    • http://perstaxllc.com/uploads/1/3/0/6/130621890/peribuxuluxi.pdf
    • http://suwaflc.org/uploads/1/3/0/6/130604688/jewunapomimeb.pdf
    • http://nhfd-dev-site.com/uploads/1/3/0/7/130776393/xowozogevewoditare.pdf
    • http://www.licenterartsciences.com/uploads/1/3/0/7/130739983/pepuz-lobupaxe-letudevu-wojefixebalixu.pdf
    • http://benplattes.net/uploads/1/3/0/4/130489229/d2eedf8.pdf
    • http://tangball-online.lucky1st.com/uploads/1/3/0/7/130775365/130775365.html#find+font+name+from+image

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000029e6.bin
391fae5085860841e9850c8840afb31b7a80ef1f478660e9958b376c34abff25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29E6 7236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.