Malicious PDF — malware analysis report

Static analysis result for SHA-256 a2bbe3a69673ce2d…

MALICIOUS

PDF

46.7 KB Authoring application: Scribus
MD5: e30fc022617a411e25b2dfe5346a7fa6 SHA-1: 0eed3022aa7736356ef23d70c69d6a7202a21e8b SHA-256: a2bbe3a69673ce2d74c168053598227d3df23b00ecea527bcd59430caec51fa8
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a hidden link farm, directing users to multiple external PDF files hosted on various domains. This technique is often used to distribute malicious payloads or redirect users to phishing sites. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and traffic redirection intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wallmaven.com/uploads/1/3/0/5/130588296/nuvepemojetagid_zomozesiw.pdf
    • http://www.waxedbylaurie.com/uploads/1/3/0/7/130740259/funolu.pdf
    • http://djalexmusic.com/uploads/1/3/0/7/130740590/e0bac.pdf
    • http://theguythatfilms.com/uploads/1/3/0/5/130588452/3811267.pdf
    • http://anchorfertilitycare.com/uploads/1/3/0/3/130323251/879fb01b7683825.pdf
    • http://moonflowerproduction.com/uploads/1/3/0/6/130640010/ef8f89dc9e4db4.pdf
    • http://discountclosetspecialist.com/uploads/1/3/0/7/130776054/85af1a201b.pdf
    • http://myplustokenwallet.com/uploads/1/3/0/6/130605472/dujekumenasuxewe.pdf
    • http://buffalokiemarket.com/uploads/1/3/0/4/130436271/zilelugoxaket.pdf
    • http://kupetspinkinvitational.com/uploads/1/3/0/7/130776386/5105697.pdf
    • http://bigbikeadventuretours.com.au/uploads/1/3/0/6/130622012/6e6941717b6.pdf
    • http://bellafiore-charlotte.com/uploads/1/3/0/6/130620232/4395475.pdf
    • http://desertdreamxxx.com/uploads/1/3/0/7/130776499/2041220.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/7/130739711/130739711.html#the+50+most+common+phrasal+verbs+b.t.+stoakley

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e19.bin
0026662ef69f9566f3fa52acd7d8ef71427400505f6be377e4c7d19577b23e24		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E19 8180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.