Malicious PDF — malware analysis report

Static analysis result for SHA-256 617b2f205035904c…

MALICIOUS

PDF

38.8 KB Authoring application: Scribus
MD5: 5587a5201b9b6e726966a47c007c5dae SHA-1: a7013326318a94d7fccf944cb38c3cb7b231ad2f SHA-256: 617b2f205035904c4e8cf4f2765c3d882f046a60aeb0c6ef88f8e1fab1d6b21d
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. ClamAV identified the file as Pdf.Phishing.TtraffRobotInstall, and a machine learning classifier also flagged it as malicious. The embedded URLs are the primary indicators of compromise, suggesting a phishing or content-serving attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bouncinbus.com/uploads/1/3/0/5/130540118/1937261.pdf
    • http://127onyork.com/uploads/1/3/0/3/130323161/gobiga.pdf
    • http://anorganizedadventure.com/uploads/1/3/0/3/130324112/7f881d2.pdf
    • http://stadiacatering.com/uploads/1/3/0/5/130539979/418363.pdf
    • http://tife.luciemauger.com/uploads/2020/01/29/9116dd748fc947.pdf
    • http://diruluj.johnwasparke.pro/uploads/2020/01/28/wedig-puxulaneto-vupaxijoji-wiwik.pdf
    • http://cliftontaxicabs.com/uploads/1/3/0/5/130538817/33546f09ad.pdf
    • http://mikekelley.us/uploads/1/3/0/6/130639831/nulugiwomo.pdf
    • http://thecountryovenbakery.com/uploads/1/3/0/7/130738712/3966624.pdf
    • http://carpetcleancary.com/uploads/1/3/0/5/130539295/130539295.html#hcg+levels+in+blighted+ovum

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001201.bin
76452fc48dcceaf6d772c133c9c855ccf474392d271d75fab7acb3802960299b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1201 8728 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.