Malicious PDF — malware analysis report

Static analysis result for SHA-256 4d5af8b0e8f7b00b…

MALICIOUS

PDF

49.9 KB Authoring application: Inkscape
MD5: cc98b18d456c8b6da53b9d1f9571c1ef SHA-1: 8201324ae9f7bb13221fb707870365001a70ee90 SHA-256: 4d5af8b0e8f7b00b3a47806357f0e9be52d7d5c551c0e0579fb6b3481174d7e0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical finding for a 'PDF_SEO_LINK_FARM' and ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body contains numerous embedded URLs, many of which point to suspicious domains and appear to be part of a link farm. The primary attack pattern involves directing users to these external links, likely for phishing or to distribute further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dusawebet.sellercentral-amazon-avs.com/uploads/2020/01/29/tupof_pajapijof_jekelubex.pdf
    • http://josephbeggsfoundation.org/uploads/1/3/0/4/130483477/befekimofafuw.pdf
    • https://selatefob.weebly.com/uploads/1/3/0/2/130291441/3112236.pdf
    • http://jipax.cozystuff.ru/uploads/2020/01/27/6410656.pdf
    • http://boniluses.prorealgame.ru/uploads/2020/01/27/de73aa3.pdf
    • http://tibusunog.gate2019iitm.online/uploads/2020/01/28/8291435.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/6/130604778/130604778.html#cancionero+catolico+pdf+partituras

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a9.bin
f6508a9b6df97f0037683f6ca563252e15d45dc3366cbe5afe8bcbabda606be2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A9 9796 bytes
font_01_sfnt_off00007db0.bin
6db2f878e0fd57d3a351d0d81a5ccd7b58f68df6728dadc3aee3ebeb1a1d6e60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7DB0 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.