Malicious PDF — malware analysis report

Static analysis result for SHA-256 4cf03a78378848f0…

MALICIOUS

PDF

42.9 KB Authoring application: Inkscape
MD5: fa9beef7c733a8e1d7a6361db039c0eb SHA-1: 1303004557a9b493dc9e5286ff4ce6ea86a1cd16 SHA-256: 4cf03a78378848f0a0a5f5bd05bc5dc464d1cdaae0e832447129951adbec6bcc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF_SEO_LINK_FARM heuristic indicates the presence of numerous external links within the document, pointing to suspicious domains. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. The embedded URLs are the primary indicators of compromise, suggesting the document's purpose is to drive traffic to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://modajewelry.shop/uploads/1/3/0/4/130491356/mufejuwozikibilu.pdf
    • http://besutobites.com/uploads/1/3/0/4/130483670/bibos.pdf
    • http://animalbehaviourcoaching.net/uploads/1/3/0/3/130379389/0087c33.pdf
    • http://allamericandogexpo.com/uploads/1/3/0/6/130639417/130639417.html#practice+worksheet+expanding+and+condensing+logs+answers

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001021.bin
e46e17522f953ae316e1ba330397b20702417c6a554d2cbd0058d8c07e40d1a4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1021 8664 bytes
font_01_sfnt_off00006192.bin
b080e6aa9682ff87567a230b404ab00780bafcfd3ba11e3f536b788ca6e08ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6192 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.