Malicious PDF — malware analysis report

Static analysis result for SHA-256 42b50a11b3149c52…

MALICIOUS

PDF

33.9 KB Authoring application: Scribus
MD5: b139f1b4b7fffd6fd802cf123cda7091 SHA-1: 0251506bcd94417f3ad1a9e2a72ba2d708e19f89 SHA-256: 42b50a11b3149c5241b31e9bcb0d68baa4c63f297ad0dd1570e3551adc444167
150 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or redirection scheme. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic manipulation. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://reformingprojectmanagement.net/uploads/1/3/0/4/130483863/xokijolalimi_riraki_menajemefexiwup.pdf
    • http://rostelekomrt.space/uploads/1/3/0/2/130289453/9875b9ba67b4c.pdf
    • http://careerdiscoverycamp.com/uploads/1/3/0/5/130551198/furuputu.pdf
    • http://brouleepublicschool.com/uploads/1/3/0/6/130639077/pepizo_kuzured_tawajetalor.pdf
    • http://hildegeuens.com/uploads/1/3/0/7/130775391/3028961.pdf
    • http://drredford.com/uploads/1/3/0/3/130323422/093185.pdf
    • http://momasternaturalist.net/uploads/1/3/0/5/130540937/5544308.pdf
    • http://www.alldogsaresmart.info/uploads/1/3/0/6/130605509/e5ee427e2b.pdf
    • http://newsandroidapps.com/uploads/1/3/0/2/130287548/fdafc76ab848.pdf
    • http://digitalbusinessedgewebsitepreview1.com/uploads/1/3/0/7/130739745/3825562.pdf
    • http://www.mamarunsdisney.com/uploads/1/3/0/9/130969989/1764496.pdf
    • http://doublejagilitydownunder.com/uploads/1/3/0/9/130969259/titutidosuwi.pdf
    • http://www.modernsphere.ca/uploads/1/3/0/5/130547405/wopomujiziloveros.pdf
    • http://zach--andrea.rominastiebenphotography.com/uploads/1/3/0/7/130774965/130774965.html#anemia+infecciosa+em+equinos+.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000285d.bin
5ed30d456a4189c0c5131b17ed9e1a3e39705d9438d7ae7f8c2aa047505fefca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x285D 10632 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.