Malicious PDF — malware analysis report

Static analysis result for SHA-256 6ac234b0da54c94c…

MALICIOUS

PDF

37.8 KB Authoring application: Inkscape
MD5: d712595b3af17177478924098a8559cf SHA-1: d96616609cefea49d666dfc19df9d0208ff80078 SHA-256: 6ac234b0da54c94c4bb2e24c85b1b8651864abc45a25ac8649df9a0e4e56ef22
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to distribute malicious content. ClamAV detected this as Pdf.Phishing.TtraffRobotInstall-7605656-0, and a machine learning classifier also flagged it as malicious. The embedded URLs are the primary IOCs, suggesting a campaign to drive traffic to these external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://williampmorgan.com/uploads/1/3/0/4/130476516/sibeb_subulomeku_mozilelorerew_xageziwomepage.pdf
    • http://willspointbluebird.org/uploads/1/3/0/3/130323329/7661564.pdf
    • http://goldenbuildaxiscorporation.com/uploads/1/3/0/6/130640024/tamoda-vawasogepi.pdf
    • http://wingingitarts.com/uploads/1/3/0/2/130274269/2680975.pdf
    • http://ushomeinspection.us/uploads/1/3/0/5/130551512/5753035.pdf
    • http://mx.river-city-wings.org/uploads/1/3/0/9/130969707/2517388.pdf
    • http://cardonetrainer.com/uploads/1/3/0/5/130544078/6193197.pdf
    • http://swoac.com/uploads/1/3/0/6/130621479/6fbd0e83ae4.pdf
    • http://nicole-bramble-illustration.com/uploads/1/3/0/6/130639379/9a1b03cdca1922.pdf
    • http://pawsforacauseinvitational.com/uploads/1/3/0/2/130288893/6261670.pdf
    • http://www.tompkinsrealestateco.com/uploads/1/3/0/4/130436367/ad1f4540528b.pdf
    • http://trafficsecretswaitlist.com/uploads/1/3/0/2/130289353/9202930.pdf
    • http://brbayouth.com/uploads/1/3/0/6/130603865/kewisib-jaxubinatuzex-jasemumurelejij-zemugapavipaseg.pdf
    • http://elkbuskencuentra.com/uploads/1/3/0/5/130547286/xegilu-tawumukupize.pdf
    • http://hackspokane.com/uploads/1/3/0/6/130604198/roxufelizapo.pdf
    • http://newsolutionsit.com/uploads/1/3/0/6/130620819/povafijixapigov-lafenozena.pdf
    • http://insuranceseguros.com/uploads/1/3/0/9/130969019/9074687.pdf
    • http://coinoplaundryparts.com/uploads/1/3/0/6/130621052/kunusu_wuvesebu_zemavetojozedo_dasosisavigune.pdf
    • http://charlottejackman.com/uploads/1/3/0/6/130604777/518188.pdf
    • http://mercymedicalarts.com/uploads/1/3/0/5/130540507/5868622.pdf
    • http://sprovencher.com/uploads/1/3/0/6/130639903/lajizubovebas-joraz.pdf
    • http://impactproductionsgroup.com/uploads/1/3/0/8/130813876/130813876.html#friendly+letter+worksheet+grade+2

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000313e.bin
06860b966b84d2baacd14b96541947cb83b5f44bb829c6076a130a45489853db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x313E 8380 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.