Malicious PDF — malware analysis report

Static analysis result for SHA-256 70491e6a27ef1916…

MALICIOUS

PDF

45.8 KB Authoring application: Scribus
MD5: 9bba14e7ec6d2c7e0aa5389e8410b701 SHA-1: 48670d5345f50e705735630bbcdd6217702b3c35 SHA-256: 70491e6a27ef1916af1e7d4ac7d799dfd4c0466e968a4547191f342323a7cd31
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. ClamAV identified this as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', and an ML classifier also flagged it as malicious. The embedded URLs are the primary indicators of compromise, suggesting a phishing or content-farming attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gotcertifications.com/uploads/1/3/0/2/130272266/nalilavukere.pdf
    • http://atlantadrummethod.com/uploads/1/3/0/5/130543671/9040002.pdf
    • http://cyber-journal.com/uploads/1/3/0/6/130620645/jefafafonoxife-paputupugowiz.pdf
    • http://siouxcitypropainting.com/uploads/1/3/0/5/130589037/duponivokow_tarinibagexis.pdf
    • http://thesingbabysingshow.com/uploads/1/3/0/7/130740175/130740175.html#between+the+sheets+movie+online
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001066.bin
fd5efdd06f7578e75bcaf675303617111d7677446c1965d0598671072f23f03e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1066 8960 bytes
font_01_sfnt_off000078ac.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78AC 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.