Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b7cd30d8f21e3cf…

MALICIOUS

PDF

83.7 KB Authoring application: Inkscape
MD5: 376ff7118d8416b2f0055bd24032ef5c SHA-1: 691680f6c30cf0ec2cb234ccec0ccd700a174a92 SHA-256: 4b7cd30d8f21e3cfa45eae057fb6a2c393679a77f84efbef8e6602e4ecb04cac
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to other PDF files hosted on various domains, a technique often used for SEO spam or to distribute malicious content. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing or traffic redirection scheme. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack pattern involves directing users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mikaelpettersson.net/uploads/1/3/0/6/130604423/kamigap_jitosu.pdf
    • http://www.harrybick.com/uploads/1/3/0/4/130483953/b6285.pdf
    • http://michaelvickersbaritone.com/uploads/1/3/0/5/130588382/5107874.pdf
    • http://moonlilee.com/uploads/1/3/0/5/130588607/2938869.pdf
    • http://ohioccwtraining.net/uploads/1/3/0/7/130739745/rinuwavuzerul.pdf
    • http://dsmarcscreteil851239509.fr/uploads/1/3/0/2/130288811/teziwojubuwuduzap.pdf
    • http://apsolutionsllc.net/uploads/1/3/0/5/130588762/1ebde0319.pdf
    • http://subjectiveself.net/uploads/1/3/0/6/130639369/xebolagidojejolilup.pdf
    • http://discountwiresupply.com/uploads/1/3/0/5/130588872/0f4bae426.pdf
    • http://feardonald.com/uploads/1/3/0/4/130435898/45ba87889c.pdf
    • http://getguillotines.com/uploads/1/3/0/2/130270971/fb20aa68a25.pdf
    • http://illuminated-living.com/uploads/1/3/0/8/130874340/nezafinugijek.pdf
    • http://impactwindowreviews.com/uploads/1/3/0/4/130489830/1376411.pdf
    • http://klyamrecords.com/uploads/1/3/0/4/130476684/pajoxuwelokamaje.pdf
    • http://elliemaysgrowingupridgeback.com/uploads/1/3/0/4/130493714/rasunatujazasowapega.pdf
    • http://katduffauthor.com/uploads/1/3/0/6/130639841/denatebokataguz.pdf
    • http://mta-sts.jhigh18.com/uploads/1/3/0/4/130483322/130483322.html#ganga+action+plan+in+bengali

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d76.bin
a3a2ab5c41d06ffcfb8f7db52d8195f59a47c884e6a2744ce5821849a0762822		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D76 9408 bytes
font_01_sfnt_off0000fa42.bin
039eb517683f72f61dd0034fa7b674560945d672ceb980a8efeb1a36c13cdd0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFA42 16168 bytes
font_02_sfnt_off00010f17.bin
2c32c498f23db3cae400dac070c72b38d41a5d5dbe5041cbe08e7cee44e1acfd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F17 2648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.