Malicious PDF — malware analysis report

Static analysis result for SHA-256 60603171e913d150…

MALICIOUS

PDF

41.1 KB Authoring application: Karbon
MD5: adc16470191afed8ed67649d1f895568 SHA-1: 0ed557c5ee0544d64dc253efe82ae6a64684d10a SHA-256: 60603171e913d1507afb80b691314d785f3c628af6975a9f0ca17dcdfb63d2d1
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a tactic to manipulate search engine results or distribute malicious content. The ML_NYX_PDF_MALICIOUS and CLAMAV_DETECTION heuristics confirm the malicious nature of the file, with ClamAV identifying it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs are the primary IOCs, pointing to potentially malicious or SEO-abused content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://phantom-rust.net/uploads/1/3/0/2/130274349/8836744.pdf
    • http://ticibasspeks.weebly.com/uploads/1/3/0/6/130639655/1900475.pdf
    • http://conexioroma.com/uploads/1/3/0/6/130639110/bolan_mominemapudilop_runebe_xowamobikajoxu.pdf
    • http://msmale.com/uploads/1/3/0/4/130476401/perolan.pdf
    • http://createdbyrellyrel.com/uploads/1/3/0/2/130289800/lijexenoxod.pdf
    • http://bewellmindset.org/uploads/1/3/0/5/130546543/863872.pdf
    • http://zuwiwudik.audiostart07.icu/uploads/2020/01/28/8a0ad2fc.pdf
    • http://brownfencing.com/uploads/1/3/0/6/130639082/1664324.pdf
    • http://disneychristmasparty.com/uploads/1/3/0/2/130287514/3563399.pdf
    • http://xujodijap.gameknb.fun/uploads/2020/01/28/tonajaluxun.pdf
    • http://amazonaskitchen.com/uploads/1/3/0/3/130323803/2f89a2a2.pdf
    • http://policyanalyticsgroup.net/uploads/1/3/0/5/130550754/cbc1194137.pdf
    • http://poluzare.topfloor.space/uploads/2020/01/29/befutiwefunivi.pdf
    • http://ghfohio.weebly.com/uploads/1/3/0/2/130291707/e181f1088cee426.pdf
    • http://pasturepride.com/uploads/1/3/0/4/130483114/b55ad606a4.pdf
    • http://mohamoudegal.com/uploads/1/3/0/6/130639659/05deceb41b67d.pdf
    • http://nula.severnypark.ru/uploads/2020/01/27/ec7e37c74f16f.pdf
    • http://jososesewe.myshop8.site/uploads/2020/01/28/7307142.pdf
    • http://saintclairstorage.com/uploads/1/3/0/4/130436307/97fcf5b35dd8d34.pdf
    • http://ot4kidsyangon.com/uploads/1/3/0/2/130289291/541b999a642.pdf
    • http://113366.co/uploads/1/3/0/3/130323318/130323318.html#cover+letter+for+tourist+visa+uk

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015f1.bin
ae6529edf0aa7bdd6a9d9aaf2b74e270f201c1d1ae8b31da8621f9a1970c5d48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15F1 8512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.