Malicious PDF — malware analysis report

Static analysis result for SHA-256 ae15e976e280b3bb…

MALICIOUS

PDF

36.6 KB Authoring application: Inkscape
MD5: 135415f7f853cb992381d0b75c9bce20 SHA-1: cdf079db4defd4a031eedfec76579ce386bb3299 SHA-256: ae15e976e280b3bb67ac580d1cb7911f90ab8e4a1aec310d9cdbd77a1e92edf1
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or phishing campaigns. The ClamAV detection and ML classifier strongly indicate malicious intent. The embedded URLs are the primary indicators of compromise, suggesting the document's purpose is to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://jarofozizad.weebly.com/uploads/1/3/0/2/130272892/e82ef879.pdf
    • http://mur.walkwork.info/uploads/2020/01/28/dfb6b6a39.pdf
    • https://zesuworevij.weebly.com/uploads/1/3/0/5/130588515/gilalogageka.pdf
    • http://wawibow.lilosshop.com/uploads/2020/01/27/tizebowosur.pdf
    • http://beru-credit.ru/uploads/2020/01/27/watij-puviwevudi.pdf
    • https://gozidawesa.weebly.com/uploads/1/3/0/2/130287307/458754.pdf
    • https://zawavapivas.weebly.com/uploads/1/3/0/5/130588733/6937654.pdf
    • http://muki.ssl-test-nic-2.ru/uploads/2020/01/27/748516.pdf
    • http://botisowase.sochi-ses.ru/uploads/2020/01/28/869434.pdf
    • http://fugilevi.diba-konto.com/uploads/2020/01/28/988a7299c39.pdf
    • https://fogugegobuf.weebly.com/uploads/1/3/0/2/130287211/253a20e50.pdf
    • http://tiwa.loginenbanque.com/uploads/2020/01/27/8675a9f557f990.pdf
    • http://concepttimecafe.com/uploads/2020/01/28/fopovobowifa.pdf
    • https://pojedowul.weebly.com/uploads/1/3/0/6/130604733/349281e.pdf
    • https://rasukibo.weebly.com/uploads/1/3/0/5/130588692/pazuj.pdf
    • http://majinu.campolasalina.com/uploads/2020/01/28/a4dd05bf75b2f.pdf
    • http://gag.cabinet-bank.su/uploads/2020/01/28/3364301.pdf
    • https://najutibewegusu.weebly.com/uploads/1/3/0/3/130379226/popeveneb-waxozes.pdf
    • https://wepenaroki.weebly.com/uploads/1/3/0/3/130379824/6589498.pdf
    • http://adventuresbyprice.com/uploads/1/3/0/6/130604824/130604824.html#the+natural+way+to+draw+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000014fb.bin
6890aab7a8e10dbd8c7f66942cd7f4a3cae385dd7124c676987e7acafac3155f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14FB 7896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.