Malicious PDF — malware analysis report

Static analysis result for SHA-256 5e1485b0c235fb97…

MALICIOUS

PDF

35.8 KB Authoring application: Inkscape
MD5: d4ec2141c42bd80c021a5cbe4faa2080 SHA-1: 1dd159b69d2a905429eaff7577bc4b240e61e596 SHA-256: 5e1485b0c235fb9767579e076cc564312d547fd67deea174cee175176118e537
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, a technique often used for SEO spam or to redirect users to malicious content. ClamAV detected this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and a critical heuristic identified it as a PDF link farm. The document body itself appears to be corrupted or contains obfuscated text, but the primary malicious activity is the mass of external links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://werave.myalbumsexy.com/uploads/2020/01/29/dd29cfc13c9.pdf
    • https://morilimuwule.weebly.com/uploads/1/3/0/4/130435846/6bca10.pdf
    • http://mobilenotaryinca.com/uploads/1/3/0/5/130540525/fegigamomalulo_sadovur_zugujarizovane_jekupozovulam.pdf
    • http://sherpublishing.com/uploads/1/3/0/5/130589360/liwubetove.pdf
    • http://alternative-healing-therapy.com/uploads/1/3/0/3/130313698/tozupudozejudezilux.pdf
    • http://bulogi.sdekor.ru/uploads/2020/01/28/dizanafu_gokuf_gezekab_manuzonux.pdf
    • http://getfitwear.ru/uploads/2020/01/29/wakoperalajos.pdf
    • http://tangofilmsla.com/uploads/1/3/0/5/130545447/suxinunimigil-puzovemenuse-vudibo.pdf
    • https://kujamuvopujit.weebly.com/uploads/1/3/0/2/130289711/55981c0.pdf
    • http://southeastlocksupply.com/uploads/1/3/0/4/130477028/zinupegukut.pdf
    • http://zenwich.co/uploads/1/3/0/4/130489075/a3a29462114505.pdf
    • http://cutepigproductions.net/uploads/1/3/0/5/130539241/dejozebaxujut.pdf
    • http://tamarosan.ner1.ru/uploads/2020/01/28/3882680.pdf
    • http://ctatherapy.com/uploads/1/3/0/4/130488968/wepur.pdf
    • http://vibe.sexsdetmi.com/uploads/2020/01/28/gibijobukofowix-jedokezixenaz.pdf
    • http://frmclinicsrussia.ru/uploads/2020/01/27/5227811.pdf
    • http://cshennessyenterprises.net/uploads/1/3/0/2/130289755/moverujuko-wewav.pdf
    • http://seariderphotography.com/uploads/1/3/0/6/130620297/1143877.pdf
    • http://tk2services.com/uploads/1/3/0/6/130604988/jepobuvum.pdf
    • http://woodlandstuition.com/uploads/1/3/0/2/130287945/130287945.html#wild+horses+natasha+bedingfield+sheet+music

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015e2.bin
dbe3e42519ab3594a82d50983328f37826c39edaa052c479f2832d807c8dba6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15E2 8160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.