Malicious PDF — malware analysis report

Static analysis result for SHA-256 9be8e1e9e627c54a…

MALICIOUS

PDF

71.8 KB Authoring application: Inkscape
MD5: 159f9baf3ce1acda1ab0970c81cb06e2 SHA-1: f9b7a63323964750c8d2605a56584ae61a9f55fa SHA-256: 9be8e1e9e627c54a3bf2b430802c951121459fca3a78c0767593648aa5f227d6
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly suggest malicious intent, likely for phishing or distributing further malware. The document body, though truncated, appears to be an exercise related to grammar, which serves as a lure to disguise the malicious link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9770

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sheilastonephotographer.com/uploads/1/3/0/6/130639051/bamawujonaw.pdf
    • http://allmytreasures37.com/uploads/1/3/0/2/130270887/xamidenajet.pdf
    • https://nusikariwemak.weebly.com/uploads/1/3/0/3/130323930/jopuloludeji.pdf
    • http://sergiomauricio.ca/uploads/1/3/0/3/130323342/ac0076f505fcdb.pdf
    • http://pierrecyr.ca/uploads/1/3/0/6/130605194/bugopuna.pdf
    • http://mid-citymaintenance.com/uploads/1/3/0/6/130639668/abcebe5f443b.pdf
    • http://mofflongboards.com/uploads/1/3/0/7/130775398/130775398.html#assertive+to+exclamatory+sentences+exercises+pdf

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000013b0.bin
06d059d29e729698b7de3f318cece77f5d184e6e0f01e612d01273b4aae04ef3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13B0 8480 bytes
font_01_sfnt_off0000a2d3.bin
8da94621ad76b3aa2bde739f7f325d6c97b3a5e88aaf83d2b66a3e98de15a855		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA2D3 2316 bytes
font_02_sfnt_off0000ac8a.bin
7863b829de04ea8b7f5be4d5dae43fa62182e7611f0c3a300d10b316d27db496		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAC8A 2732 bytes
font_03_sfnt_off0000b599.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB599 1388 bytes
font_04_sfnt_off0000bf28.bin
45426e5b5dfd3540d87149d888a7a2cc807b0aa34a47813476fc68fc12e57567		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBF28 14932 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.