Malicious PDF — malware analysis report

Static analysis result for SHA-256 38938fd76f93c4ca…

MALICIOUS

PDF

55.3 KB Authoring application: Scribus
MD5: 0efe1b042873e3dc9279694287bf29d6 SHA-1: 58e60dab33153f87178ca1ab8287aa0cc56a2298 SHA-256: 38938fd76f93c4ca0c33e8404312341a72eeffc1bf96220e3359986d9e19fa42
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a machine learning classifier also flagged it with high confidence. The document body itself contains a mix of seemingly legitimate text and obfuscated content, including the URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pitkulup.net/uploads/1/3/0/7/130738684/busog.pdf
    • http://bubbcomics.com/uploads/1/3/0/8/130814591/lenabog-lesitex-mufifun-balugoj.pdf
    • http://karenjanewalker.net/uploads/1/3/0/3/130323743/zoniratiponenufenur.pdf
    • http://michaelparlato.com/uploads/1/3/0/4/130483299/1413454.pdf
    • http://keepyourappointment.com/uploads/1/3/0/6/130604289/kikapubol-womak-diwuzewavod-fiwolereruz.pdf
    • http://canadian-photography.ca/uploads/1/3/0/7/130740206/fad45c79d.pdf
    • http://farmdalehawks.org/uploads/1/3/0/5/130544954/5182768.pdf
    • http://napashuttlelimo.com/uploads/1/3/0/6/130620389/gozofaxukibevin.pdf
    • http://dancinggoatsanctuary.com/uploads/1/3/0/7/130776126/130776126.html#rabbi+dr.+abraham+twerski+books+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001237.bin
0e4449455a35bf26d14152084003817ac08bcc80eab9f9417fbad80e562c94ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1237 8664 bytes
font_01_sfnt_off00008dee.bin
1e9558349fe5a7d9f514b69fd607663a36c18a9ed817f19a2b689237ce3d4d39		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DEE 17560 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.