Malicious PDF — malware analysis report

Static analysis result for SHA-256 77f597636d630d7a…

MALICIOUS

PDF

58.2 KB Authoring application: Inkscape
MD5: d582e5fee273e21e0e259bd59ce3e3c7 SHA-1: 197af787121f008a7056732505fab7a4c944dda2 SHA-256: 77f597636d630d7ae1932e95e485140fd711a1cae1b9f7a4015b1c5bff9a4428
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique often used for SEO poisoning or to distribute malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware delivery. The document body, though heavily obfuscated, contains references to social media and URLs, reinforcing the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bobcatinfo.org/uploads/1/3/0/7/130739131/natujomefekekamu.pdf
    • http://misfitcrusaders.com/uploads/1/3/0/6/130639440/3972461.pdf
    • http://globalwarming1.com/uploads/1/3/0/4/130476607/b83e60c.pdf
    • http://alt-lifecoach.com/uploads/1/3/0/3/130323141/korenoxozo_tojakewaril_fipofamubib.pdf
    • http://qikbuild.com/uploads/1/3/0/5/130588595/xevuxu.pdf
    • http://thetrixxband.com/uploads/1/3/0/7/130775626/5435407.pdf
    • http://risingartistfestival.com/uploads/1/3/0/5/130539706/7221709.pdf
    • http://chewoncakes.com/uploads/1/3/0/8/130814960/130814960.html#linkedin+profile+picture+2018
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000117f.bin
2b4df978f9d34c8a247cdf707b9bdc834492f55ef09692f694c3d4f25dde2107		 pdf-font-stream PDF embedded font (sfnt) at offset 0x117F 8496 bytes
font_01_sfnt_off00008a52.bin
2d6bd6032eb36d2a5141bbf354c5cc4aee3708917332664e7aa619b3a9ae568a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A52 2740 bytes
font_02_sfnt_off00009383.bin
145b4084e68de4aac6142ebdeeb89899dee64987ba7f21e8d4e52724344a98e5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9383 16096 bytes
font_03_sfnt_off0000a7d0.bin
3023bede055efc9a3eecfe4f5d36471597e9149f05a6ac3bea085e6594b329a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA7D0 4056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.