Malicious PDF — malware analysis report

Static analysis result for SHA-256 4069617f9650b7d7…

MALICIOUS

PDF

26.6 KB Authoring application: Scribus
MD5: b8e1255d7d20199d37a5b4675a7fbad9 SHA-1: 6a8f59537d4561644345adb0b377a19dabaa0a5e SHA-256: 4069617f9650b7d76528c3df053076df0b665ff733130c107c46d4424342b0df
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, which is a common technique for phishing or distributing further malware. The embedded URLs suggest a link farm designed to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qiessence.net/uploads/1/3/0/4/130489926/12f236f43cb2b8a.pdf
    • http://misscarladance.org/uploads/1/3/0/7/130776898/muledexadigoxa.pdf
    • http://scf.net.au/uploads/1/3/0/6/130621673/5420872.pdf
    • http://iferze.net/uploads/1/3/0/5/130551181/1241974.pdf
    • http://maxsocialsecurityforlife.com/uploads/1/3/0/4/130436299/wuliwononuroxemuwafe.pdf
    • http://0205monshop.host/uploads/1/3/0/6/130604168/tabunufizin-xipez-dozemobedu-jasasovabe.pdf
    • http://decojewelry.net/uploads/1/3/0/3/130379514/c1e4758f9ca6e.pdf
    • http://bettiefordwasteland.com/uploads/1/3/0/5/130588962/xalitase.pdf
    • http://us41marion.com/uploads/1/3/0/7/130775972/50406584cc5.pdf
    • http://north42sales.ca/uploads/1/3/0/6/130639437/ada9f.pdf
    • http://30nlr.bpmtc.com/uploads/1/3/0/5/130589160/130589160.html#emco+andersen+storm+door+hinge

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000147b.bin
d5f4ad9e2190267bbb0f278436b57efa8d91dec2c1b5433a7357da8f17bc25d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x147B 6816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.