Malicious PDF — malware analysis report

Static analysis result for SHA-256 65955ed04deefb20…

MALICIOUS

PDF

32.0 KB Authoring application: Scribus
MD5: d96d55bcacc3832e81974f8b3326d127 SHA-1: 2c64bbf843c20df853e8df4069e2508f5f89377d SHA-256: 65955ed04deefb20821d72623beaf97b69cba41af5084c1161eac7bfa609a80a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links to other PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, suggesting a coordinated effort to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://219garage.com/uploads/1/3/0/2/130291838/7435710.pdf
    • http://richmond-math.com/uploads/1/3/0/2/130287495/d742adc.pdf
    • http://mkefacepaint.com/uploads/1/3/0/6/130639924/sodazome.pdf
    • http://ariana-johnson.com/uploads/1/3/0/6/130604956/gefuza.pdf
    • http://sliceoffeist.com/uploads/1/3/0/4/130489159/5266031.pdf
    • http://standoutindallas.com/uploads/1/3/0/5/130543207/b11a2561.pdf
    • http://gonewberry.com/uploads/1/3/0/8/130815303/pasipofije.pdf
    • http://savannahceramics.com/uploads/1/3/0/6/130639038/2754070.pdf
    • http://advance-it.net/uploads/1/3/0/8/130814856/130814856.html#skf+timken+seal+cross+reference

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002a51.bin
6d79edc211c89bb94745e38b1a7169d82dbfc838dc50762f9f024b7e39662aad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2A51 7460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.