Malicious PDF — malware analysis report

Static analysis result for SHA-256 745585b8b3cd1c62…

MALICIOUS

PDF

40.6 KB Authoring application: Karbon
MD5: afb4eb55cc837803436a43a8eff44a3d SHA-1: 03bfbc042a9d34b720bee800d283949e90d1befc SHA-256: 745585b8b3cd1c62887188d5cfefacaac63e749294773bcf11f53c905d8d03dd
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of embedded external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or content distribution scheme. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://modtran7.net/uploads/1/3/0/5/130588546/zagobepema_loforuwug_givur_fufizevuladi.pdf
    • http://hostmaster.stjamesbythepark.org/uploads/1/3/0/7/130775753/vagitejet.pdf
    • http://orlandoaccidentlawyer.net/uploads/1/3/0/4/130435763/908da772.pdf
    • http://freestyleartclasses.com/uploads/1/3/0/6/130639506/242164.pdf
    • http://relaymobile.us/uploads/1/3/0/8/130873779/mixekinugonaso.pdf
    • http://centreforbrainhealth.com/uploads/1/3/0/2/130289380/sabivogaxuneb_todor_debep.pdf
    • http://abdullahalmaruf.com/uploads/1/3/0/5/130541445/334898.pdf
    • http://www.flawdastylez.com/uploads/1/3/0/5/130544811/8896215.pdf
    • http://fdnyfootball.com/uploads/1/3/0/7/130740374/wonejaxaxuwubovere.pdf
    • http://messydesk.org/uploads/1/3/0/2/130288359/d4e93e397f9ab0c.pdf
    • http://thebuttkickindietitian.com/uploads/1/3/0/7/130775228/wififajupobipa_kovijer_runex_nanubox.pdf
    • http://icebergholdings.com/uploads/1/3/0/3/130323477/kutojazovujega_doxazir.pdf
    • http://starfishcenter.org/uploads/1/3/0/6/130621031/ripazo.pdf
    • http://keithloutittrucking.com/uploads/1/3/0/6/130604552/vatotow-gonide.pdf
    • http://mckayryan.net/uploads/1/3/0/6/130621488/kotimigewuxa-bawoverukirub.pdf
    • http://oneabovecataract.net/uploads/1/3/0/9/130969362/61cccbaa2b163.pdf
    • http://freethought.com/uploads/1/3/0/3/130313046/392020.pdf
    • http://otf.brdge.org/uploads/1/3/0/5/130590778/130590778.html#atlassian+marketplace+for+bitbucket

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003e62.bin
26f07d7530e1ebebaf133c3d0c0df5f5f890fb0a9b44709c00b4a9981b9b865a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3E62 9144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.