Malicious PDF — malware analysis report

Static analysis result for SHA-256 456bf9d9bf023196…

MALICIOUS

PDF

80.1 KB Authoring application: Inkscape
MD5: 245fcf338783d5e69abe7b95d82d4a44 SHA-1: 8766f239e7bd1298a49328edebdface5c7f1d0bb SHA-256: 456bf9d9bf02319691c0a56e23f71276b81bee375c53ca2fd3c0e5483c908a2a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests the primary purpose is to redirect users to potentially malicious websites, consistent with SEO spam or phishing campaigns. The ML classifier and ClamAV detection further support its malicious nature. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9929

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://corporateworlddropouts.com/uploads/1/3/0/7/130740498/kovetuz-munulizugiwalu-zinebudeze-vuzurugawigafez.pdf
    • http://trindesigns.com/uploads/1/3/0/7/130776861/8249299.pdf
    • http://agingathometechnology.com/uploads/1/3/0/2/130289430/d334ff.pdf
    • http://breznjak-interijeri.com/uploads/1/3/0/4/130488311/bobapabo.pdf
    • http://www.zfnstudios.com/uploads/1/3/0/3/130313488/4274247.pdf
    • http://johnsteinman.net/uploads/1/3/0/5/130539913/pirabavipevuruj-lemosijoxuxi.pdf
    • http://mnalifestyleconnections.com/uploads/1/3/0/5/130539319/sinakabewuk.pdf
    • http://rainnstour.com/uploads/1/3/0/7/130739614/powik_nanamozu_fanovadibu.pdf
    • http://nicolecthomaswrites.com/uploads/1/3/0/5/130589098/bosapuvut.pdf
    • http://humanismandculture.com/uploads/1/3/0/6/130621059/seniwupek_bewoz_jexun.pdf
    • http://omeganaturals.ca/uploads/1/3/0/5/130539348/9919969.pdf
    • http://www.marplebeertraders.com/uploads/1/3/0/9/130969839/2774913.pdf
    • http://chrissynoelkinslow.org/uploads/1/3/0/2/130288552/387253a8.pdf
    • http://youniqueboutiquebytara.com/uploads/1/3/0/2/130288394/binonumojuvunenadawo.pdf
    • http://heavenonearthhealth.com/uploads/1/3/0/8/130873932/b8cc33841.pdf
    • http://sjpmarine.com/uploads/1/3/0/4/130491488/435d8ff987a63.pdf
    • http://www.thepdmg4u.com/uploads/1/3/0/2/130289700/muliritodatop-tovuziz-nobotakitedoza.pdf
    • http://cottagesupply.com/uploads/1/3/0/4/130435611/8445514.pdf
    • http://tryshashby-rolls.com/uploads/1/3/0/5/130539155/zirabigatu_raxodavavel_mutixakig.pdf
    • http://profinancialinsservices.org/uploads/1/3/0/4/130483300/09e5089ca.pdf
    • http://kenakathleen.com/uploads/1/3/0/4/130476496/3340495.pdf
    • http://sbuckling.com/uploads/1/3/0/6/130604145/2252546.pdf
    • http://www.xxfireworks.com/uploads/1/3/0/5/130590312/fafogekavapore_diwosoxexe.pdf
    • http://christinafriedle.org/uploads/1/3/0/7/130738714/130738714.html#assistant+f

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000a3fd.bin
3d5499e76e0358f57835435b81d1cabcd1ab0fc33d64981a70240df05172e62f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xA3FD 23520 bytes
font_00_sfnt_off000045f2.bin
2656e95b7e0156a1833c24e4dc67e5fa39f34169d202746d41ac16a609623ff4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x45F2 12744 bytes
font_01_sfnt_off00006302.bin
974b411a4d66d4b4f6b673e5c068470e2be18d51c4571c06c3eeb6e61239bb8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6302 8288 bytes
font_02_sfnt_off00007cc4.bin
de7c8eb92a49f2eefda29715d873f749f9412c7dd60031eb7d4e82f71524d315		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7CC4 7112 bytes
font_03_sfnt_off00008f3a.bin
73e678fa0fd3a44557acbaffddd0abedd47c3d8d09ffa6c767a49086052d570a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F3A 6316 bytes
font_05_sfnt_off0000d022.bin
3318e1073857ac88c93ee5f32aaea7d989cb74c11e14a7d3dd686604d61ac936		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD022 13360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.