Malicious PDF — malware analysis report

Static analysis result for SHA-256 5d4cc24af03ef546…

MALICIOUS

PDF

39.0 KB Authoring application: Scribus
MD5: 1cd7f1fc2080dafbaa2a75d2eaf4bf4d SHA-1: 22c540ec7823fd28aa1d3424dcfef396651b7823 SHA-256: 5d4cc24af03ef546fccf518bdd38016b0f0dda64f1aecd4ce0716e2761bf663a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall, and a machine learning classifier also flagged it as malicious. No scripts were extracted, but the sheer volume of linked PDFs suggests a coordinated effort to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://alignpilatesfitness.com.au/uploads/1/3/0/7/130739289/dabuxozopa-kubuvusulipula-dinewazog-fugapajupomet.pdf
    • http://mcaroadsidedeals.com/uploads/1/3/0/2/130288600/4717d.pdf
    • http://micromulsion.com/uploads/1/3/0/5/130588962/c8cd080.pdf
    • http://spiritascend.com/uploads/1/3/0/5/130588452/d17b0a4857aa.pdf
    • https://regugizimumala.weebly.com/uploads/1/3/0/5/130551191/db05a3740a0.pdf
    • http://tristanprettyman.net/uploads/1/3/0/7/130738719/fexujiwopow-konul.pdf
    • http://blesscedbeads.com/uploads/1/3/0/6/130604114/munugexeto-bijoferupaz-nawukaxugo-sixakower.pdf
    • http://absystemsllcscam.com/uploads/1/3/0/5/130541765/130541765.html#hsv+encephalitis+mri+radiopaedia
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011a6.bin
b8f8e869c7973f3672bd4408121d26ec5d1c67339545b1dd43e1b9e403d5f660		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11A6 8324 bytes
font_01_sfnt_off00005ca8.bin
4d9ec2aec8f1ca6bebe1b56492fd55a77bba3a6e98efb76508c1b835d4eb9912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5CA8 2860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.