Malicious PDF — malware analysis report

Static analysis result for SHA-256 70821f96c064dcad…

MALICIOUS

PDF

43.7 KB Authoring application: Karbon
MD5: 7d4225b9be3554ee445d12935dbf4b23 SHA-1: df7f6b6bb11bce55b104a1bcd8e34335785ccdba SHA-256: 70821f96c064dcad83a2ddf2c3a90b9eee65e452d4c1d361088a5012e36c7583
192 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file was detected as malicious by ClamAV and ML classifiers, exhibiting characteristics of a phishing or SEO poisoning campaign. It contains a large number of external links pointing to other PDF files, suggesting an attempt to distribute malware or phish users. No scripts were extracted, but the presence of numerous external URLs indicates a likely intent to redirect users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chrisarkwright.com/uploads/1/3/0/4/130476004/9056157.pdf
    • http://nikkimichelleandthecosmiccollectivemusic.com/uploads/1/3/0/5/130590195/8399919.pdf
    • https://tomulixemaz.weebly.com/uploads/1/3/0/6/130604191/mirixiposelejib.pdf
    • http://skychaos.net/uploads/1/3/0/7/130775011/5919001.pdf
    • http://nannytherapy.net/uploads/1/3/0/7/130739583/3485706.pdf
    • http://drjeffbarone.com/uploads/1/3/0/2/130272347/denotanesosusaxuzor.pdf
    • http://mictkinofest.com/uploads/1/3/0/6/130604249/5785107.pdf
    • http://blackwoodsounddesign.com/uploads/1/3/0/4/130489162/4518365.pdf
    • http://colonialcpchurch.org/uploads/1/3/0/5/130588964/zozizodona_zemifibaximo_jokinevosedino_dijikidofofig.pdf
    • http://canyonsohana.com/uploads/1/3/0/6/130604563/dexapuvapupeb.pdf
    • http://dataunify.com/uploads/1/3/0/6/130639071/821d7.pdf
    • http://bartolomeilaw.com/uploads/1/3/0/4/130483329/130483329.html#bloons+td+5+apk+license+error+fix

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012e6.bin
6935a41baf84f4919cbca5dc5c22904a4b174f18ef1789cf187a2200bd3911a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E6 8908 bytes
font_01_sfnt_off000070b8.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70B8 1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.