Malicious PDF — malware analysis report

Static analysis result for SHA-256 517a53e636838f36…

MALICIOUS

PDF

83.7 KB Authoring application: Scribus
MD5: bd20685094c18ae82cb3e565edb067c7 SHA-1: d77b40eb4176d967c599cad3cb267a08f8ae0266 SHA-256: 517a53e636838f360864c548b0df2d3fd5a19739c60c6d33d6312f47b1c71708
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical finding for a PDF link farm and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body contains numerous embedded URLs, all of which are unknown reputation. These URLs are likely used to redirect users to phishing sites or download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lakeshoreregionponyclub.com/uploads/1/3/0/6/130639557/fetewizonuzoz.pdf
    • http://vodudaxad.apart5k.ru/uploads/2020/01/28/338770.pdf
    • http://getthedriver.com/uploads/2020/01/28/5570991.pdf
    • http://moscowshamrocks.com/uploads/1/3/0/6/130604812/folupu_salutope_siwewilajapeji.pdf
    • http://midlandfencepros.com/uploads/1/3/0/5/130547405/e726ac390551d31.pdf
    • http://nlxcakes.com/uploads/1/3/0/4/130435898/91970107df3.pdf
    • http://bsa-sccc-pack301.com/uploads/1/3/0/6/130604420/130604420.html#blavatsky+voice+of+silence+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000132d.bin
33cce18c05d7e58e90db44ef5368ef52f71c55eefa9fb0a0934e1235b0c83548		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132D 8348 bytes
font_01_sfnt_off00008f1f.bin
d576e2173e5bafe917a889f060d97b375f93f6490bf8fd275835fe3c202e68de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F1F 6168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.