Malicious PDF — malware analysis report

Static analysis result for SHA-256 ad49822f3b29a40f…

MALICIOUS

PDF

36.6 KB Authoring application: Karbon
MD5: 9b9072f67bf7c893d0ab1fdb313420ae SHA-1: 67b0b323ecbce488b93b1f49eb8df58f22841584 SHA-256: ad49822f3b29a40f4ac7ce7fd5f15f6e1610c32539244401810004ee04cfd6d3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO poisoning or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body text is heavily corrupted, preventing a detailed analysis of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://prefabulous.org/uploads/1/3/0/4/130483836/864951.pdf
    • http://decaturdiagnostic.com/uploads/1/3/0/2/130289270/purarokelajud.pdf
    • http://carecanvas.com/uploads/1/3/0/4/130483902/biwezakozodez.pdf
    • http://abbepsychservices.com/uploads/1/3/0/2/130274199/vevarebabini-jiderutiti-revapita.pdf
    • http://myprizeonline.com/uploads/1/3/0/5/130589151/41bb4d8fb8788e.pdf
    • http://www.gigimacproductions.com/uploads/1/3/0/6/130604996/telexujamu-fefemanedogonaj-xawezololabiwuz-bawidizo.pdf
    • http://sparklyhealthandlove.com/uploads/1/3/0/7/130776162/tinegi_vumodadirivi_mebimufulirup_fitir.pdf
    • http://whatwe2.com/uploads/1/3/0/2/130287936/zekoxep_gizirujum_zudizuxemufuv_reloxipum.pdf
    • http://cmkp.nl/uploads/1/3/0/9/130969689/239b84bb8c9b281.pdf
    • http://mscgis.net/uploads/1/3/0/5/130540033/8f333182850f740.pdf
    • http://hostmaster.elettrodomesticiticino.ch/uploads/1/3/0/5/130539738/8349f50d.pdf
    • http://sorumaratonu.com/uploads/1/3/0/7/130738503/6747270.pdf
    • http://ritterassociates.net/uploads/1/3/0/6/130604309/jixim.pdf
    • http://chinhuan.net/uploads/1/3/0/7/130775722/jugojomusazuguwo.pdf
    • http://hostmaster.navp.co.uk/uploads/1/3/0/9/130968960/6fc8d.pdf
    • http://algaebookandpaper.com/uploads/1/3/0/7/130739202/9679736.pdf
    • http://muslimsjobs.com/uploads/1/3/0/5/130551576/tukaki.pdf
    • http://canberrabreathwork.com/uploads/1/3/0/6/130639750/369415.pdf
    • http://electmorthland.com/uploads/1/3/0/5/130540453/wedipapetepolega.pdf
    • http://kyflowernseed.com/uploads/1/3/0/5/130539706/130539706.html#active+and+passive+sentences+exercises
    • http://hostmaster.navp.co.uk/uploads/1/3

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003060.bin
83d5510e7079fde46f48ea5c951b79c9fb85dd322b357819ae87649ef2bc785d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3060 7968 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.