Malicious PDF — malware analysis report

Static analysis result for SHA-256 be454b818bcd53ac…

MALICIOUS

PDF

35.1 KB Authoring application: Scribus
MD5: f85af5895e5db89c35365d3e500068ee SHA-1: b65dffc8e09eefdcd2b70b42ad4af2652d010741 SHA-256: be454b818bcd53ac54f0c4faf59fe7cd5f387eaffd66217fe46f97fbb0b02aa0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection for Pdf.Phishing.TtraffRobotInstall-7605656-0. The document contains a large number of embedded external links, suggesting a tactic to redirect users to malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://centerforempowerment.net/uploads/1/3/0/4/130489706/f7d029d797.pdf
    • http://theparduehouse.com/uploads/1/3/0/5/130551543/xugibididuwiviworize.pdf
    • http://cambderma.co.uk/uploads/1/3/0/5/130545333/vavelabuleruvopibovo.pdf
    • http://nataliereneesteffen.org/uploads/1/3/0/7/130776264/2751273.pdf
    • http://www.bersamaju.nl/uploads/1/3/0/6/130620185/4526209.pdf
    • http://shannonmccollum.net/uploads/1/3/0/5/130539078/4312837.pdf
    • http://suesessentiallife.com/uploads/1/3/0/5/130545199/a163e4a0c33abfe.pdf
    • http://geomote-systems.com/uploads/1/3/0/6/130639700/7574258.pdf
    • http://ardmacelectric.com/uploads/1/3/0/5/130546076/xogubewigegosokajul.pdf
    • http://americanpastimebaseball.com/uploads/1/3/0/6/130604521/lawamomives-simeligerofin-kifetometipo-temamamo.pdf
    • http://www.avery-archibald.com/uploads/1/3/0/2/130270832/1ae4908.pdf
    • http://daddio.io/uploads/1/3/0/6/130620618/lugowogoke.pdf
    • http://axelnilsson.net/uploads/1/3/0/3/130313513/rokefugozep_zokal_bidisetinika.pdf
    • http://www.juliemariekids.com/uploads/1/3/0/5/130543870/moxebobujeve-bumovagojowo-botuwamifitize-mukeso.pdf
    • http://portuguescumbrespuertovaras.devsite-1.com/uploads/1/3/0/7/130776536/130776536.html#attestation+d%27h%C3%A9bergement+%C3%A0+titre+gratuit+cmu

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d66.bin
de8b56e856443467ed9729a9949c452e4db3b93afd54bcb8ab96e292c0fcfccd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D66 9096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.