Malicious PDF — malware analysis report

Static analysis result for SHA-256 9a53bba9b47f553b…

MALICIOUS

PDF

40.0 KB Authoring application: Scribus
MD5: 9a8d31c7917f69c7bb61c271d5efcffc SHA-1: 2d58443ec2c145e4185b730baf1baa394855b066 SHA-256: 9a53bba9b47f553bdbc1401b1504b075702c7e75f0ab5c1a8f06b4c413001549
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV also flagged this as malicious, with ClamAV specifically identifying it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs are likely used to direct users to malicious content or phishing sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dizuxamej.thisthoughts.com/uploads/2020/01/29/gizefivuvefij.pdf
    • http://cloudmobilesecurity.com/uploads/1/3/0/6/130605307/bomifoforiw-bujurarirup.pdf
    • http://newlifeintlmin.org/uploads/1/3/0/5/130550790/e3c577b.pdf
    • http://madikuw.motivationluxury.com/uploads/2020/01/28/9394832.pdf
    • http://hdbrasil.online/uploads/2020/01/28/5768698.pdf
    • http://armonkprep.com/uploads/1/3/0/5/130551536/modukeri.pdf
    • http://cherishedrubies.com/uploads/1/3/0/5/130551185/makodiwis.pdf
    • http://powojuka.regpanel.club/uploads/2020/01/27/veropave_dibelizeropimub.pdf
    • http://livewellcounselingnh.com/uploads/1/3/0/3/130323478/fiweduraxon-pabamabowogike-visej.pdf
    • http://beyondpotential.ca/uploads/1/3/0/6/130639034/gubevudogo-wedopez-pigubosega.pdf
    • http://kin-onlinepov.com/uploads/1/3/0/4/130483302/samemizagawa.pdf
    • https://resemaxolin.weebly.com/uploads/1/3/0/2/130288565/nibosezata.pdf
    • http://diestrodecuerdas.com/uploads/1/3/0/6/130605078/palajameriruvag.pdf
    • http://longhorncaverns.org/uploads/1/3/0/5/130551456/muvosevewosujus.pdf
    • http://openmedaccess.net/uploads/1/3/0/3/130323600/c2c3fc3087.pdf
    • http://appeal5.com/uploads/1/3/0/4/130435734/ceb3a7795fa.pdf
    • http://mysunshinerides.com/uploads/1/3/0/5/130551179/1630864.pdf
    • http://50staaten.com/uploads/1/3/0/5/130551356/7966826.pdf
    • http://alwanglobal.com/uploads/1/3/0/6/130605071/mebasuxi.pdf
    • http://mitchell-winter.com/uploads/1/3/0/5/130551222/5e87e.pdf
    • http://vintagehomecharleston.com/uploads/1/3/0/2/130270956/130270956.html#apunkagames+gta+vice+city

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015cb.bin
cbe997d3188d3f3a6bffdd94de9b6ab980b90a82995e019c037aad17e845e668		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15CB 8732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.