Malicious PDF — malware analysis report

Static analysis result for SHA-256 891512b784330be9…

MALICIOUS

PDF

35.4 KB Authoring application: Inkscape
MD5: f82dd65d6b4aa111a2bab55f3fc2ad55 SHA-1: 9bd13570ea86598af88751af05a87a020598664b SHA-256: 891512b784330be9f31b61cdf9c8b6bdd31908244fd47aa300da14e6b998c3d7
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links pointing to external PDF files hosted on various domains, consistent with SEO spam or a link farm used for distributing malicious content. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and ML classification further support its malicious nature. The document body itself appears to be obfuscated or corrupted, but the presence of numerous URLs is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://minnesotalashextensions.com/uploads/1/3/0/6/130604072/vegekego_lizogefajig.pdf
    • http://mtymielikki.fi/uploads/1/3/0/6/130621450/kosuj.pdf
    • http://speakeasyliverpool.com/uploads/1/3/0/5/130539223/fewujezip.pdf
    • http://petstylz.com/uploads/1/3/0/6/130639452/dezekebujo.pdf
    • http://mooderopah.com/uploads/1/3/0/3/130323311/395444.pdf
    • http://officeprocleaningllc.info/uploads/1/3/0/2/130289603/4862030.pdf
    • http://uscstudentactivism.org/uploads/1/3/0/2/130271097/jarepejaferosuwuw.pdf
    • http://mod13culminatingprojecthss.com/uploads/1/3/0/4/130435673/wikowivore.pdf
    • https://lerulevogoxeb.weebly.com/uploads/1/3/0/5/130551302/tudasi_xarobo_roxorema.pdf
    • http://goodshepherdanimals.club/uploads/1/3/0/6/130639407/daxukod.pdf
    • http://theayasafund.com/uploads/1/3/0/7/130739381/niletimajidono.pdf
    • http://mos5stepchallenge.com/uploads/1/3/0/5/130550931/10deaf92.pdf
    • http://bsa-sccc-pack301.com/uploads/1/3/0/4/130436127/130436127.html#avery+5260+label+template
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012f1.bin
b76faa618fb0846477ea7be9599d5a952d75e31c0fc60d6e90732a093d056bcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12F1 8556 bytes
font_01_sfnt_off00004d1f.bin
2faf3b174afa5eb158d723cfd3ba4e37b4859eff1362dd251119091b4a46f47e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D1F 3144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.