Malicious PDF — malware analysis report

Static analysis result for SHA-256 7e186524e5955b4e…

MALICIOUS

PDF

28.8 KB Authoring application: Karbon
MD5: d8f2658b90fdce3facbd7b13083ae97c SHA-1: dceda4179caee32f63ea79f1eaf6b9108ccc8dd4 SHA-256: 7e186524e5955b4e94f471295e96ab0b594e5849b94182ba2cc176d93dd09a70
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, identified as a link farm, which is a common technique for SEO manipulation or distributing malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution through these links. No scripts were extracted, but the structure and URL patterns suggest a malicious document designed to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://eveandscott2019.com/uploads/1/3/0/7/130739498/munefim.pdf
    • http://earthspiritpath.net/uploads/1/3/0/5/130590724/22c68e525133ae.pdf
    • http://perfectbabysa.co.za/uploads/1/3/0/4/130435670/kanuzesapima.pdf
    • http://occasionsbygigi.com.au/uploads/1/3/0/6/130639052/2025597.pdf
    • http://agentemily.com/uploads/1/3/0/8/130814193/8903269.pdf
    • http://limoservice247.com/uploads/1/3/0/2/130289411/9a823dbd.pdf
    • http://77thscouts.ca/uploads/1/3/0/6/130604892/650e48648b3.pdf
    • http://adsgroup-wines-food.com/uploads/1/3/0/7/130740046/sopilofixab-voxiwemajugapo-todewepe.pdf
    • http://mpgamestudios.net/uploads/1/3/0/8/130874136/favogo.pdf
    • http://temperamentsart.com/uploads/1/3/0/2/130292007/barega.pdf
    • http://webdisk.diamonddoorltd.com/uploads/1/3/0/6/130620653/sabininuxinoto_jidesefu_dewarulana_supekenuj.pdf
    • http://onsub.space/uploads/1/3/0/7/130739830/jatofagibuzalar.pdf
    • http://rallypicosdeeuropa.com/uploads/1/3/0/6/130605071/a446eaf2e.pdf
    • http://myartfairartists.com/uploads/1/3/0/2/130289613/labuvelonipolu_pexatufedigoda.pdf
    • http://y3yq7.bpmtc.com/uploads/1/3/0/5/130589168/130589168.html#battle+angel+alita+last+order+final+manga

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001ac4.bin
759ae7c8bfc8df97a8e5abd96d3ad63ee486d64358f8d6fc1c53b17cb9c85880		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AC4 6220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.