Malicious PDF — malware analysis report

Static analysis result for SHA-256 7501127469b82b5a…

MALICIOUS

PDF

35.6 KB Authoring application: Scribus
MD5: a7354f350b3ad75e65798d48d773565f SHA-1: 3bbb2186d32b1e7c79acdcad710c42f1300614c8 SHA-256: 7501127469b82b5a689d7582e9aebef3f023d07e6e72016546a1d4f5b2b2c9b7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or distribution mechanism. While no scripts were explicitly extracted, the structure and numerous external URLs indicate a malicious intent to redirect users, potentially for SEO manipulation or to serve further malicious content. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports its malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dreamcatalyst.org/uploads/1/3/0/7/130775594/9536886.pdf
    • http://toughness.guru/uploads/1/3/0/8/130814329/8745624.pdf
    • http://ortaklargrup.net/uploads/1/3/0/2/130289636/vujilofuj.pdf
    • http://webdisk.pleikuab.com/uploads/1/3/0/6/130604682/e2b4a4a.pdf
    • http://politinks.net/uploads/1/3/0/7/130739524/bb269ccd510a5.pdf
    • http://mistocareala.com/uploads/1/3/0/6/130604858/b1b06ed28b3e.pdf
    • http://monolid.net/uploads/1/3/0/4/130483238/tumit.pdf
    • http://bisconsulting.it/uploads/1/3/0/5/130541744/jowatus_tobiteje_selofuduni.pdf
    • http://migratorypathways.com/uploads/1/3/0/3/130380037/d46871bb5.pdf
    • http://geiz5.bpmtc.com/uploads/1/3/0/8/130813400/9580052.pdf
    • http://utahdivorceconsulting.com/uploads/1/3/0/8/130874350/vanabevixoj-zonimovuduno-fubipavop.pdf
    • http://heartlandartclub.com/uploads/1/3/0/5/130543084/cedd6d2.pdf
    • http://stephaniepereira.com/uploads/1/3/0/2/130270900/a00503fcd8d41.pdf
    • http://www.capoeirainphilly.com/uploads/1/3/0/8/130814596/9718074.pdf
    • http://www.darrenandavalynn.com/uploads/1/3/0/7/130776790/debovijujox_zepatak_fugejev_wiwabo.pdf
    • http://wizardsandwolves.com/uploads/1/3/0/6/130639456/perijejagobivun-romegegajorege-marovavanurekoj-lewokivebogus.pdf
    • http://pdtrucking.net/uploads/1/3/0/6/130639201/5291358.pdf
    • http://artistmeetsthepeople.com/uploads/1/3/0/2/130272364/fosanizukuwunona.pdf
    • http://baijialegongshi.br3h.com/uploads/1/3/0/6/130622095/130622095.html#put+2+pdfs+together+mac

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d6e.bin
a368d4e794bb53bcfcff30dcf40f1d7599e28648b0832e2ba33cddf3710d136d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D6E 7920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.