Malicious PDF — malware analysis report

Static analysis result for SHA-256 84a352820995267a…

MALICIOUS

PDF

45.2 KB Authoring application: Karbon
MD5: aab17df1d1e6182e123b7de2ee41299e SHA-1: 352d8d6678cc3cc2fe6c9a05ade7c1ec93c82a18 SHA-256: 84a352820995267a3f55b00f9a1537a44082dafac419359243e03848cc101181
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF was flagged by multiple heuristics, including a critical finding for a PDF link farm containing numerous external URLs. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious classification. The embedded URLs suggest a phishing or malicious content distribution scheme, likely initiated via spearphishing attachment.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://northwestpetscanning.com/uploads/1/3/0/4/130435581/fbaa8d36f3.pdf
    • http://noirnooga.net/uploads/1/3/0/7/130740130/zivofitojerax-jowozatu-repuxufujefim-jitiwome.pdf
    • http://nexgentestosterone.com/uploads/1/3/0/6/130605462/2761652.pdf
    • http://myabloomstore.com/uploads/1/3/0/6/130604637/fabolulipowesi-ramot-pabutobukizeza.pdf
    • http://crystalcatdesigns.com/uploads/1/3/0/4/130476766/7941042.pdf
    • http://htrionline.net/uploads/1/3/0/5/130588927/c026a82781.pdf
    • http://kylaconner.com/uploads/1/3/0/6/130604026/130604026.html#club+penguin+mission+3+guide
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011d6.bin
70ad37f2557795057de19fe0af16ffc800da228393d445a86b7dd52a040b2583		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D6 9708 bytes
font_01_sfnt_off00007631.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7631 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.