Malicious PDF — malware analysis report

Static analysis result for SHA-256 5bbea3bf55bc5f47…

MALICIOUS

PDF

55.0 KB Authoring application: Scribus
MD5: 091aa17ce69be3c366bac18bf07e4cc0 SHA-1: b52028c6fc2805c6d1de3275108299e33aef5dd2 SHA-256: 5bbea3bf55bc5f470cacc359263bd67207e894cc3d16cf5b5ae3168dd854c236
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to distribute further malicious content. ClamAV and a machine learning classifier both identified this file as malicious, specifically flagging it as phishing or a potential installer. The embedded URLs are the primary indicators of compromise, suggesting a distribution or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://softstrong.net/uploads/1/3/0/5/130540767/xaxexo.pdf
    • http://blockchainbetterbusiness.com/uploads/1/3/0/5/130541356/198138.pdf
    • http://art8light.com/uploads/1/3/0/3/130313176/pobugetogikuti.pdf
    • http://mollymia.com/uploads/1/3/0/5/130588787/2029dcf0.pdf
    • http://matsigura.net/uploads/1/3/0/6/130621436/luzor.pdf
    • http://kmdmoney.com/uploads/1/3/0/3/130379098/wizebexibigabebowi.pdf
    • http://dxef.com/uploads/1/3/0/8/130813897/7839ab9c3519.pdf
    • http://cellphonebucket.com/uploads/1/3/0/3/130313010/wibifujudov-kiwirazobiku.pdf
    • http://reeeeeeeee.com/uploads/1/3/0/6/130604576/vigowise.pdf
    • http://algaebookandpaper.com/uploads/1/3/0/4/130490928/dinamewij.pdf
    • http://cradleinferno.com/uploads/1/3/0/5/130545745/6060405.pdf
    • http://optiki.bg/uploads/1/3/0/4/130476574/3762966.pdf
    • http://alisonreber.com/uploads/1/3/0/2/130272892/7263220.pdf
    • http://pxbible.net/uploads/1/3/0/5/130543472/madetebuta.pdf
    • http://ecarsindia.in/uploads/1/3/0/6/130621597/7400128.pdf
    • http://jobbienooner.net/uploads/1/3/0/6/130620320/938311.pdf
    • http://sapmii.studio/uploads/1/3/0/6/130604788/powegedabap_xugegujat_tibeleku.pdf
    • http://wpgigslist.com/uploads/1/3/0/5/130588810/jabinegenej.pdf
    • http://crhardscape.com/uploads/1/3/0/6/130621741/posasobaz.pdf
    • http://cadescovejunkies.com/uploads/1/3/0/6/130604687/nolawanevubixe.pdf
    • http://www.maruaponte.com/uploads/1/3/0/4/130488286/22c2b6b09.pdf
    • http://introducingfriends.net/uploads/1/3/0/6/130604928/wudex-rabekorabivewo-xawunefiwakufo-lefup.pdf
    • http://missionfieldnebraska.net/uploads/1/3/0/7/130739949/3950382.pdf
    • http://prestomagictravel.voyagerwebsites.com/uploads/1/3/0/2/130287852/130287852.html#musculocutaneous+nerve+supplies+what+muscles

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000138e.bin
1c32d067c1bee9baa779158c34837b8d667b9bf4df08fee44e599e2c7684e898		 pdf-font-stream PDF embedded font (sfnt) at offset 0x138E 9052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.