Malicious PDF — malware analysis report

Static analysis result for SHA-256 4434caef507d3d65…

MALICIOUS

PDF

38.0 KB Authoring application: Inkscape
MD5: 19aa766565862d9ff359abd16e25819e SHA-1: bf1e3bce426864c4df727f6fb85f250bb363ee87 SHA-256: 4434caef507d3d65105c565283d59440af1766d8bcf336f1fe64afdf75b1185f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains, a technique commonly used for SEO poisoning or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body content appears to be junk data, suggesting it's not intended for human consumption but rather to facilitate the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://courtneyandneal.com/uploads/1/3/0/6/130639580/nipujuj.pdf
    • http://lasliben.store/uploads/1/3/0/5/130550898/riziwefud-reredoxowoxi.pdf
    • http://icfem-registration.com/uploads/1/3/0/6/130639486/7824255.pdf
    • http://indycornmaze.com/uploads/1/3/0/7/130740072/2432298.pdf
    • http://ladyprenuer.com/uploads/1/3/0/7/130776008/fabidem.pdf
    • http://morningswithamissionary.com/uploads/1/3/0/5/130590082/5287808.pdf
    • http://mfgm-produkte.de/uploads/1/3/0/7/130740097/ranodixoxiw.pdf
    • http://drkronos.ru/uploads/1/3/0/6/130621856/kelobirimiri.pdf
    • http://krystalsforthespirit.com/uploads/1/3/0/7/130740589/eab421ce7f63eaf.pdf
    • http://vintagehomecharleston.com/uploads/1/3/0/6/130621665/minupamol-tavom.pdf
    • http://boxerboogiefun.com/uploads/1/3/0/5/130590698/wifab_surorexoguwafej_tudofirolikib.pdf
    • http://koiinteriors.net/uploads/1/3/0/6/130620424/96db0697.pdf
    • http://cattleyascandles.com/uploads/1/3/0/7/130775592/xopove-rogozu-zinakasavezitaz.pdf
    • http://adamendriukaitis.com/uploads/1/3/0/7/130775760/7402983.pdf
    • http://diversitybusinessforum.com/uploads/1/3/0/7/130739012/menodizefuma.pdf
    • http://xora.city/uploads/1/3/0/6/130603989/7ee750f2.pdf
    • http://cmifamily.com/uploads/1/3/0/7/130775927/3158951.pdf
    • http://denisekamm.com/uploads/1/3/0/7/130738753/ralebo.pdf
    • http://totahr.com/uploads/1/3/0/5/130545097/c64aaf82ddd6.pdf
    • http://nabajal.org/uploads/1/3/0/4/130490719/borubefisulisurixabo.pdf
    • http://bestofthewestmoving.com/uploads/1/3/0/5/130590363/bewodo.pdf
    • http://hypernox.net/uploads/1/3/0/6/130621530/9221959.pdf
    • http://twoteachersaboard.com/uploads/1/3/0/7/130739926/fakoza_xitenaxufa_xamadi_posamisob.pdf
    • http://jg2oo.salon225.com/uploads/1/3/0/6/130621838/130621838.html#adobe+after+effects+cs4+download+free
    • http://vintagehomecharlest

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003109.bin
eed0f7275e4cf9260102d3bb87b03ef228004bf0f0c13c3edfd976532fae2616		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3109 8384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.