Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0f7f18dafb21b84…

MALICIOUS

PDF

125.8 KB Authoring application: Karbon
MD5: f395ff070bd3e7bd739144bfc69727c2 SHA-1: 0fb4374b2687a972b287ddfc9a18abd977dbc70a SHA-256: c0f7f18dafb21b849ce1cd1cce4d0397e2b52e2075919ae46b4a9d6762a50279
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to other PDF files hosted on various domains, indicating a link farm or redirection scheme. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the 'PDF_SEO_LINK_FARM' heuristic strongly suggest this is a malicious phishing or SEO spam campaign. The ML classifier also flagged this with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shawpolygraph.com/uploads/1/3/0/6/130639025/tibozubokitarutumed.pdf
    • http://ewth.net/uploads/1/3/0/4/130435690/4983923.pdf
    • http://maryfairyguidance.me/uploads/1/3/0/8/130813740/niwonemuxukolek.pdf
    • http://deedeemillbrae.com/uploads/1/3/0/7/130739232/vobetunefesofoxudi.pdf
    • http://besthairextensionswilmington.com/uploads/1/3/0/7/130738614/9040702.pdf
    • http://yoanstudio.com/uploads/1/3/0/2/130270958/98e0f.pdf
    • http://fairtradegreen.com/uploads/1/3/0/7/130738769/f272f26422.pdf
    • http://norshus.com/uploads/1/3/0/5/130543995/6f26b5b.pdf
    • http://tinkoff.vip/uploads/1/3/0/2/130291971/feresapuweraj.pdf
    • http://dealswithdessy.com/uploads/1/3/0/5/130551106/9ca03a3752c644.pdf
    • http://merakiofferings.com/uploads/1/3/0/7/130775366/7296730.pdf
    • http://vpstestsite.com/uploads/1/3/0/6/130639600/2972113.pdf
    • http://airwavescable.com/uploads/1/3/0/5/130540746/xitapunodawugos-nixosozulomebi-kapubibobi.pdf
    • http://pathproduct.com/uploads/1/3/0/7/130739090/061024eee.pdf
    • http://nathannasbymusic.com/uploads/1/3/0/3/130312929/fcd10.pdf
    • http://captivated.blog/uploads/1/3/0/5/130589010/3192887.pdf
    • http://muggmatch.com/uploads/1/3/0/6/130620789/f241bf.pdf
    • http://sam-tisher-senio-1.rominastiebenphotography.com/uploads/1/3/0/6/130640047/130640047.html#r.i.+freshney+culture+of+animal+cells

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065c0.bin
c048ac4ed90d63bfae46472f65f9cf6fc0bd5e75369f2d8f28771a6d96a2731c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C0 3156 bytes
font_01_sfnt_off000073e3.bin
98ad16149e03b75146f9c0eaf94c65b6a3041bd7a533a5ed61a00fda82b873fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73E3 9540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.