Malicious PDF — malware analysis report

Static analysis result for SHA-256 49e986815211700d…

MALICIOUS

PDF

35.9 KB Authoring application: Scribus
MD5: 0af0b13b5fc28f4ccf11a9e879d839a7 SHA-1: 965e969dc1752d4b73a41c8bcd08c53554426058 SHA-256: 49e986815211700d24b47a2d32d2b4b85ca46837c3e377cb7de1de46f2257b4b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded external links, a technique often used for SEO poisoning or to redirect users to malicious sites. ClamAV identified this as Pdf.Phishing.TtraffRobotInstall, and the ML classifier also flagged it with high confidence. The embedded URLs suggest a link farm designed to drive traffic to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nwabaseball.com/uploads/1/3/0/7/130775583/894ce2c630a9a.pdf
    • http://mustardseedboutiquemass.com/uploads/1/3/0/4/130490036/1cd75.pdf
    • http://supernatural-wellness.com/uploads/1/3/0/6/130620839/40063a.pdf
    • http://jjwatson.net/uploads/1/3/0/4/130478438/ronosolugixodod_bamewusamav.pdf
    • http://victoryit.net/uploads/1/3/0/3/130323455/1100193.pdf
    • http://nude722.space/uploads/1/3/0/6/130604088/c0effa8e56d7b9e.pdf
    • http://lakefieldbaptistchurch.org/uploads/1/3/0/5/130543682/6513411.pdf
    • http://allans-automobiles.co.nz/uploads/1/3/0/7/130775605/92f2fdaa97906.pdf
    • http://newbedfordtattoo.org/uploads/1/3/0/6/130639240/0057eb79ab.pdf
    • http://4therestofus.com/uploads/1/3/0/2/130271073/a71434665f.pdf
    • http://nuobeijing.devsite-1.com/uploads/1/3/0/4/130435524/130435524.html#movies+counter+full+movie+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000125a.bin
c64a620ca280c4d9cc16bf88b7a6acd38130686cc7053ee79fbdeb30dd2c21bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125A 8096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.