Malicious PDF — malware analysis report

Static analysis result for SHA-256 a168d601cbeb87b6…

MALICIOUS

PDF

49.8 KB Authoring application: Inkscape
MD5: b5ddde138cc1c21ba6a9fe7112335a62 SHA-1: 3ffe3acd96e2bcff8e4e7604f9b2dae4a847b2d9 SHA-256: a168d601cbeb87b638a4d97fb35ff44af6c4bc62e78b06aeaf86ccb156dbd9fc
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs pointing to external PDF documents, a technique often used for SEO manipulation or to distribute malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent. The document body, though heavily obfuscated, contains references to English phrasal verbs and Inkscape, suggesting a lure document. The primary attack pattern involves redirecting users to a network of linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://certifiedemergencyservices.net/uploads/1/3/0/7/130776411/d91cb4227ac.pdf
    • http://www.liv-your-best-life.com/uploads/1/3/0/7/130738596/duvekalulorozupotupo.pdf
    • http://gestenlaw.com/uploads/1/3/0/6/130621557/5693538.pdf
    • http://focinet.com/uploads/1/3/0/5/130590664/8051cc91.pdf
    • http://pawsitivewa.com/uploads/1/3/0/7/130775749/gifibesuvifojidi.pdf
    • http://nissajackman.org/uploads/1/3/0/7/130739385/zowaxonavigalijiza.pdf
    • http://greenlightworkshop.com/uploads/1/3/0/6/130603860/gofimozifav.pdf
    • http://007bondband.com/uploads/1/3/0/2/130270763/4890809.pdf
    • http://agelessfitness.net/uploads/1/3/0/5/130550774/8351395.pdf
    • http://chillnbeans.com/uploads/1/3/0/5/130588295/4229238.pdf
    • http://chubbytortuga.org/uploads/1/3/0/7/130775584/xapelirav_nuvatoraxubog_bosevin_mofuvixozegaduj.pdf
    • http://longwoodhomesforsale.net/uploads/1/3/0/7/130738732/9879990.pdf
    • http://www.mdm1.bethalto.org/uploads/1/3/0/4/130478259/1cad08d3fdf42.pdf
    • http://www.laccdsustsainability.com/uploads/1/3/0/4/130489162/kegenudidep-lakinokeganevov-danowubaxowogab-kivinid.pdf
    • http://www.goodfoodgroup.org/uploads/1/3/0/3/130313466/fuvaronomebukofejow.pdf
    • http://mrtechyon.com/uploads/1/3/0/2/130288720/8bb07.pdf
    • http://ssperformancemassage.com/uploads/1/3/0/5/130588263/1d740e0f9dfd0.pdf
    • http://augustachoral.org/uploads/1/3/0/3/130323126/a819efa888.pdf
    • http://threeriverproperties.com/uploads/1/3/0/2/130289504/1035715.pdf
    • http://angelmedicalcare.org/uploads/1/3/0/6/130604498/8690543.pdf
    • http://cabuildingdecarb.org/uploads/1/3/0/4/130489038/3437122.pdf
    • http://bahamasaugustllc.com/uploads/1/3/0/6/130603965/130603965.html#english+common+phrasal+verbs

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f97.bin
0d8b6e94b7a88caadb27ee2e452a6a466869db34d7299ba706ad0249978637d8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF97 8196 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.