Malicious PDF — malware analysis report

Static analysis result for SHA-256 6520c0a68923f69f…

MALICIOUS

PDF

31.8 KB Authoring application: Karbon
MD5: 009745c3f6dbea3b0ca5d8bc722bdcc9 SHA-1: 209cf733e41e578f07711df805fdb296727817c0 SHA-256: 6520c0a68923f69ff40540d289b3e1eb80c04bc7191bc23bc86d9e9a67ce720f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO manipulation or to distribute further malicious content. ClamAV identified the file as Pdf.Phishing.TtraffRobotInstall-7605656-0, and a machine learning classifier also flagged it as malicious with high confidence. The document body text is heavily corrupted and unreadable, providing no further context.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://diepslootradio.co.za/uploads/1/3/0/5/130550741/5803054.pdf
    • http://tomasharanphoto.com/uploads/1/3/0/6/130622091/3901475.pdf
    • http://lendellblack.net/uploads/1/3/0/5/130542936/funizemujibafi.pdf
    • http://wit-isms.com/uploads/1/3/0/3/130323738/dabegu.pdf
    • http://organicolosangeles.com/uploads/1/3/0/2/130288333/5543252.pdf
    • http://notaria88qroo.com/uploads/1/3/0/5/130589008/6123028.pdf
    • http://cleanwatergso.net/uploads/1/3/0/2/130272280/nenuxim.pdf
    • http://thebao.house/uploads/1/3/0/4/130476255/xixakodavigijo_mipuva.pdf
    • http://whereismyfuel.com/uploads/1/3/0/7/130738972/fd12285deeb0b.pdf
    • http://x55fb.salon225.com/uploads/1/3/0/7/130739970/kabubuvasi.pdf
    • http://bethlehembaptistchurchsaginaw.com/uploads/1/3/0/6/130621625/vujaxasigowu.pdf
    • http://hostmaster.sid38.org/uploads/1/3/0/7/130738578/3462376.pdf
    • http://sanignacioshuttle.com/uploads/1/3/0/5/130540420/685e6d802.pdf
    • http://elizabethbrowndesign.com/uploads/1/3/0/5/130543868/a9c05e418d9eca.pdf
    • http://smarthelptutoring.com/uploads/1/3/0/9/130969683/zozex_bokitozovigefo.pdf
    • http://mirigubler.com/uploads/1/3/0/6/130620267/xanew-doxoba-zoxutopadote-vaxotofen.pdf
    • http://nathanpeachey.com/uploads/1/3/0/4/130477090/be86263bd220b6.pdf
    • http://roster.ccsps.info/uploads/1/3/0/5/130539940/tomijux_josozirapa_zuvikadu.pdf
    • http://reliablelimoja.com/uploads/1/3/0/7/130775247/jesozade-xerap-wozutisetu.pdf
    • http://desatascosmollet.org/uploads/1/3/0/4/130489175/setelumifijow_legud_zisenepikuwines_rirexegunedenit.pdf
    • http://sikhster.com/uploads/1/3/0/3/130379561/6419112.pdf
    • http://mijalisco.com/uploads/1/3/0/5/130589268/69385.pdf
    • http://womackiron.info/uploads/1/3/0/5/130551364/talekadixosoxopis.pdf
    • http://openmindsholistichealingcenter.com/uploads/1/3/0/2/130291471/vametitogorip_donopamuxu_zugedizox.pdf
    • http://x0723080xstreamtravel.xsideas.com/uploads/1/3/0/7/130775263/130775263.html#advantages+and+disadvantages+of+adjacency+matrix+and+adjacency+list

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001bf1.bin
023928f93d99086322309c4f903185d82f31768b0c6c942cef35fa1cafe7bf20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BF1 6468 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.