Malicious PDF — malware analysis report

Static analysis result for SHA-256 654855263bdfe07c…

MALICIOUS

PDF

56.2 KB Authoring application: Karbon
MD5: 711693a624b0f438e2182bb2ab0af2e9 SHA-1: 0756dcd0d3cfd076996b4f8ce868113d9bf76c23 SHA-256: 654855263bdfe07caa7029a2b711837f8a7d4fa6c22ea33cf1297e4b363a0999
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, suggesting a link farm designed to distribute malware or engage in phishing. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution. The document body, though partially corrupted, mentions 'Generative adversarial networks tutorial pdf' and includes several URLs, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.blahg-blahg-blahg.com/uploads/1/3/0/6/130620154/losuvena.pdf
    • http://houserenovationextensions.com/uploads/1/3/0/6/130639404/2223152.pdf
    • http://www.hotpotato123.com/uploads/1/3/0/6/130620478/fajabunifugal.pdf
    • http://thedeepgame.com/uploads/1/3/0/6/130604690/cbadb09.pdf
    • http://queblesolutions.com/uploads/1/3/0/2/130287482/zekekuwad.pdf
    • http://mrsmacsclass.com/uploads/1/3/0/5/130540699/telemubar_gowud_gonek.pdf
    • http://ntfseal.com/uploads/1/3/0/8/130813827/jiwogufoletewi.pdf
    • http://mendozahome.com/uploads/1/3/0/5/130545333/b99e632e8e54ad8.pdf
    • http://negativeopus.net/uploads/1/3/0/8/130813992/faaa0.pdf
    • http://walkiesnairn.co.uk/uploads/1/3/0/6/130639242/be91b01e3dabeb4.pdf
    • http://elitemodellookkosovo.com/uploads/1/3/0/2/130288383/vawujarivo.pdf
    • http://kybowenart.com/uploads/1/3/0/6/130639062/9837055.pdf
    • http://www.annrebecca.com/uploads/1/3/0/5/130589095/sipumopodoko.pdf
    • http://dogfacetheatricals.com/uploads/1/3/0/2/130289336/2862128.pdf
    • http://localfixclinic.com/uploads/1/3/0/3/130323164/50248b.pdf
    • http://edumorethailand.com/uploads/1/3/0/5/130541950/wogurasimuniluji.pdf
    • http://www.dartmouthmountaineering.org/uploads/1/3/0/6/130639995/wepumazikololunomenu.pdf
    • http://psychotherapyportland.net/uploads/1/3/0/2/130272505/baboxa-refolatimipaxux.pdf
    • http://aloaninthesun.com/uploads/1/3/0/4/130488301/xegojiru_miliwipubixivu.pdf
    • http://kids.ladse.org/uploads/1/3/0/7/130739793/130739793.html#generative+adversarial+networks+tutorial+pdf
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a2.bin
8bb63b4eed533ba6583c0044a05523ad42194ab3536db6c477c268ec02e15dad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A2 9492 bytes
font_01_sfnt_off00008fb9.bin
d5ed1c3e32e121bc7fdf4b7f64e9f52042883cdc8d0b4eb1f0c73bff7e2be32e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8FB9 4236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.