Malicious PDF — malware analysis report

Static analysis result for SHA-256 6a0a1aa24fd9f44c…

MALICIOUS

PDF

35.6 KB Authoring application: Inkscape
MD5: 9702ebc82b40ca6b6da45c8a830afa08 SHA-1: f6f3fb9c7bf3528d02803ea69cce4b09fb8a3454 SHA-256: 6a0a1aa24fd9f44cdcbd76aeb929a5c944bbb9d6fbaeb28b9352c6d16388a5ac
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to suspicious domains. One specific link is embedded invisibly within the document, disguised as guidelines, and leads to a PDF hosted on 'jijine.support-accounts.online'. This suggests a phishing or credential harvesting attempt, likely using a link farm to obscure the true malicious destination. No scripts were extracted, but the presence of numerous external links and the ML classifier's high confidence score indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Image-heavy PDF with invisible link to suspicious domain high PDF_SUSPICIOUS_LINK_LURE
    PDF is a small image-heavy lure with invisible link annotations that send the user to a suspicious high-risk-domain URI. This matches credential-phishing carriers where the visible document is only a prompt and the real collection flow happens on the linked website.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://deletecoinbase.com/uploads/1/3/0/5/130542924/8385019.pdf
    • https://janunerumatuw.weebly.com/uploads/1/3/0/2/130273846/b4fadbb8.pdf
    • http://jijine.support-accounts.online/uploads/2020/01/28/gafixamafebevexupuj.pdf
    • http://paulsfavoritestuff.com/uploads/1/3/0/4/130489467/978cbfc7b.pdf
    • http://tokaben.pinapp.ru/uploads/2020/01/28/dccda4.pdf
    • http://zuxo.intrenet.pro/uploads/2020/01/28/5723042.pdf
    • http://motionfuels-arkansas.com/uploads/1/3/0/2/130271217/refigakezavikak.pdf
    • http://wofij.sportsrt.com/uploads/2020/01/29/dubig_fugesafi_mulun_luriritekurelel.pdf
    • http://homeandproperty.org/uploads/1/3/0/5/130539287/1222431.pdf
    • http://sewifuga.dimeka.ru/uploads/2020/01/29/7183108.pdf
    • http://toto.u-l.tech/uploads/2020/01/28/608102.pdf
    • http://misbailes.com/uploads/1/3/0/5/130550782/130550782.html#aua+guidelines+bph+2019

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001412.bin
89ac6a054b166ab5e185c0d90dbd29de94e2eeba0c2152d6211dd7d712d5e381		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1412 8028 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.