Malicious PDF — malware analysis report

Static analysis result for SHA-256 58ebc374d48f6612…

MALICIOUS

PDF

35.0 KB Authoring application: Inkscape
MD5: f16efe1126758f6a8f680a4556de29b9 SHA-1: 3ce31d774f18bdc286a5197baa6be82f371d5eb2 SHA-256: 58ebc374d48f66127d012710db2d7b331da4e8f5e87a711b22f303efbedb9173
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this file as malicious, with ClamAV identifying it as Pdf.Phishing.TtraffRobotInstall. The primary attack pattern involves redirecting users to numerous external URLs, likely for SEO spam or phishing campaigns. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://savemyrelationship.ca/uploads/1/3/0/5/130541313/3798912.pdf
    • http://snli.co/uploads/1/3/0/5/130590205/5449683.pdf
    • https://vubibodufujur.weebly.com/uploads/1/3/0/4/130436140/2524cfe960c51a6.pdf
    • http://zaraz.minus11kg.ru/uploads/2020/01/28/d1285e39.pdf
    • http://rez.kozhevnikov.xyz/uploads/2020/01/28/vulovaresox.pdf
    • http://andreatomassi.com/uploads/1/3/0/5/130550713/1581b27.pdf
    • http://nigella--sativa.com/uploads/1/3/0/5/130540219/tonitusasi.pdf
    • http://onlocation-sh.com/uploads/1/3/0/4/130483417/peroralaxusej_sanaxeresizefu_tilaroxedamo.pdf
    • http://cityonloc.com/uploads/1/3/0/6/130620961/130620961.html#university+of+dayton+basketball+recruiting

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011e0.bin
223cf809715cdec44af450a097d9d4c15f53b42bbb035ce20301bf4ec4248cd4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E0 8812 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.