Malicious PDF — malware analysis report

Static analysis result for SHA-256 7f80d348e9d1a842…

MALICIOUS

PDF

58.4 KB Authoring application: Inkscape
MD5: 12cebf6578249a98c0aa87f4f00bdf15 SHA-1: 1ade73d0f5c38e26018b262182a072b08d3729fa SHA-256: 7f80d348e9d1a842295c6fcb2348edbc771b42f33a0930a51c493fc3e7f5aab4
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document exhibits characteristics of a phishing or SEO spam campaign, as indicated by the 'PDF_SEO_LINK_FARM' heuristic and the high number of embedded external URLs. The ML classifier and ClamAV detection further support its malicious nature. The document body, though containing some garbled text, also includes several of the same external PDF links, suggesting a coordinated effort to distribute malicious content via these links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pixelparty.pics/uploads/1/3/0/5/130588809/fozanobe-kojin-nuripepufigave.pdf
    • http://www.ymtaxservice.com/uploads/1/3/0/4/130488365/fakajala.pdf
    • http://www.virtuallybusyb.com/uploads/1/3/0/4/130477135/lavotutoxovoli.pdf
    • http://lapiedradelsol.com/uploads/1/3/0/5/130590462/buvadenegu.pdf
    • http://paigesofbeauty.com/uploads/1/3/0/5/130588727/7141810a7ccfe8.pdf
    • http://naturestrace.com/uploads/1/3/0/6/130620881/4477601.pdf
    • http://autodiscover.opticwindowtinting.com/uploads/1/3/0/8/130873990/1624.pdf
    • http://viatenerife.eu/uploads/1/3/0/6/130639616/dovobax.pdf
    • http://merakihandmades.com/uploads/1/3/0/7/130740590/fimujutewemebe-sesimutonu.pdf
    • http://mrbaugher.com/uploads/1/3/0/9/130969300/kidinanizesele-ruzuzodufemuti-tajusuzukivo-vitejupukul.pdf
    • http://www.redfordthurstonfootball.com/uploads/1/3/0/8/130813416/4654297.pdf
    • http://pencilpenservices.com/uploads/1/3/0/5/130588424/130588424.html#seminar+presentation+on+acid+rain

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001042.bin
9f3a551b3025b2e707bb53ca02cdc1a532fc3ed6a148684e66bf55a84cc26fbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1042 8200 bytes
font_01_sfnt_off000098ec.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98EC 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.