Malicious PDF — malware analysis report

Static analysis result for SHA-256 495c92265c18bcf5…

MALICIOUS

PDF

37.2 KB Authoring application: Inkscape
MD5: a5ab0b018683c1a79e7bc7f52291b245 SHA-1: 922df6aa6ef9d6bb70f11259b84983ddbb529b8a SHA-256: 495c92265c18bcf5ce87d73a76e9f6f21550f1826a1d2062256893e2f038880f
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO spam or to distribute malware. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent. The document body contains garbled text, suggesting it is not intended for human consumption but rather as a vehicle for the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://soulsuccess.com.au/uploads/1/3/0/7/130739369/rabesirunegitog.pdf
    • http://lacabinetry.com/uploads/1/3/0/4/130476013/146db26d97.pdf
    • http://ncstateroleplay.com/uploads/1/3/0/8/130814805/294121.pdf
    • http://moemoneybeats.com/uploads/1/3/0/3/130379422/9450849.pdf
    • http://besutobites.com/uploads/1/3/0/5/130551659/lubezagijirokefom.pdf
    • http://asharperimage.ca/uploads/1/3/0/5/130543874/zuvojulefinerovag.pdf
    • http://999-podarok.site/uploads/1/3/0/6/130639037/2638c30.pdf
    • http://openingup.info/uploads/1/3/0/8/130874042/bezuvedis.pdf
    • http://englishwithlloyd.com/uploads/1/3/0/8/130874160/fizuzapigi-bevugusal.pdf
    • http://www.gainmobilitynorwich.com/uploads/1/3/0/6/130604735/0fd4ff7e3.pdf
    • http://moviestvsports.com/uploads/1/3/0/4/130436078/fuguti.pdf
    • http://thesituationshortfilm.com/uploads/1/3/0/7/130739061/32be3be4.pdf
    • http://michaeldylanferrara.com/uploads/1/3/0/3/130379482/2480bae63063.pdf
    • http://cancercoloring.com/uploads/1/3/0/3/130323962/9808661.pdf
    • http://ronmo.com/uploads/1/3/0/2/130270864/4a054cbc4de.pdf
    • http://strayashop.com/uploads/1/3/0/6/130621552/2e86f97d49c3c6.pdf
    • http://somemecosmetics.com/uploads/1/3/0/3/130379673/106a2ddd6b2.pdf
    • http://somasoakcanada.com/uploads/1/3/0/6/130620399/1251210.pdf
    • http://baylasunhotel.devsite-1.com/uploads/1/3/0/4/130476192/likomegitat-latinaxo.pdf
    • http://thenaturalway.shop/uploads/1/3/0/7/130775678/4636806.pdf
    • http://mcmwebbuilder1.devsite-1.com/uploads/1/3/0/2/130287371/130287371.html#diff%C3%A9rence+entre+attribut+du+sujet+et+%C3%A9pith%C3%A8te
    • http://strayashop.com/uploads/1/3/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000030da.bin
acfa373293750523f0146e6b2f3f286feecbede955287f79d5dcca7edc4e8a4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x30DA 8956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.