Malicious PDF — malware analysis report

Static analysis result for SHA-256 8f5be465f34d3f03…

MALICIOUS

PDF

59.1 KB Authoring application: Karbon
MD5: efab77e58805ee9c8b0f9c880c3f3c29 SHA-1: 27de809cc4e2a0796d59424a2a1d259e51522dc0 SHA-256: 8f5be465f34d3f031be744322ef68ce12686ced5730c8c380a4d5b3ae69823fa
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded URLs pointing to other PDF files on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also strongly indicate maliciousness. No scripts were extracted, and the document body content is heavily corrupted, but the presence of numerous external links is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://speechtherapynorcal.com/uploads/1/3/0/2/130291561/fusufunowo_bemenugufuma_semuv_nixemuletog.pdf
    • http://readingrescuetalk.com/uploads/1/3/0/3/130313293/b0a84.pdf
    • http://greenburgheleven.com/uploads/1/3/0/5/130539139/giwijopu.pdf
    • http://ashleighjane-adventure.net/uploads/1/3/0/4/130490301/meferirijibupiwi.pdf
    • http://camacamp.org/uploads/1/3/0/2/130271148/wiledede-jodunevuvefexa.pdf
    • http://seecs.org/uploads/1/3/0/4/130483345/ae698.pdf
    • http://daniellesmakeupcreations.com/uploads/1/3/0/2/130272905/9111263.pdf
    • http://neobedbugtaskforce.com/uploads/1/3/0/5/130544625/5274575.pdf
    • http://aktivmassageterapi.se/uploads/1/3/0/6/130621317/d24f16cd3.pdf
    • http://aprel8.world/uploads/1/3/0/7/130740450/veporuja.pdf
    • http://mymissblue.com/uploads/1/3/0/2/130272554/130272554.html#chinese+astrology+love+compatibility+chart

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001274.bin
35afc892653764560c9480e5872f2250f2c47932fdd093df92ed5346d00929a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1274 8476 bytes
font_01_sfnt_off00006480.bin
cc7ea7356df8ee0c4478e85476f5355bd23cd7790f08ff684cec84a848756727		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6480 18088 bytes
font_02_sfnt_off000099c6.bin
cda84c423673dabcc70012e2279f10eb4449d64c2a5c7ea20911aca12b6dc41a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x99C6 18576 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.