Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2b4c3b4bbae9a3e…

MALICIOUS

PDF

40.2 KB Authoring application: Inkscape
MD5: b0b9223b6ac4203db0e7dbb0f9de0ba6 SHA-1: 79f346b8b116e9746c791b9889f9e9f39a6ae4ad SHA-256: c2b4c3b4bbae9a3e029a36e17c4088d43e25112b9ed9f55d1a5ab346847188ce
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links, identified as a link farm, designed to redirect users to other PDF files. The document body text, though partially corrupted, mentions an English grammar quiz and provides a link to download a PDF quiz, indicating a social engineering lure. The ClamAV detection and ML classifier strongly suggest malicious intent, likely phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://quillesthon.com/uploads/1/3/0/6/130639841/juvomum_pipafekewodegij_bevotavateraxe.pdf
    • http://theempoweredyou.com/uploads/1/3/0/6/130620555/xavegirup.pdf
    • http://earthquakesafety101.com/uploads/1/3/0/2/130270923/giluzalu.pdf
    • https://forozamasemu.weebly.com/uploads/1/3/0/3/130313105/ligajugexikifokalo.pdf
    • http://gof.downloadappios.com/uploads/2020/01/27/rukoj-dadirixesumiwo.pdf
    • http://beradiantlyraw.com/uploads/1/3/0/6/130620846/faboletemixopusidom.pdf
    • http://petroelektrosbyt.ru/uploads/2020/01/27/4659169.pdf
    • http://signaturedoulacare.com/uploads/1/3/0/5/130589246/pixekojad_jodanukefosaw_nesuloferaj.pdf
    • http://zitorikiwu.duplicatarta.com/uploads/2020/01/29/mekuzeludezaguxogib.pdf
    • http://fibaser.i1spotify.com/uploads/2020/01/28/mewugupelixizek.pdf
    • http://mialamaven.net/uploads/1/3/0/2/130291713/redufazubaze.pdf
    • http://merryhillweddings.net/uploads/1/3/0/6/130605146/nadoxekefejofito.pdf
    • http://rosopifej.kuhnimsc08.icu/uploads/2020/01/28/3516c504749fca5.pdf
    • https://gajidekuw.weebly.com/uploads/1/3/0/5/130588885/kotixupekipasu-lekere.pdf
    • http://kelseyleonofficial.com/uploads/1/3/0/5/130546803/lixow-nuxuxuwaxixezot-tevanu.pdf
    • http://wowogare.tehnika-ask.ru/uploads/2020/01/28/duletodapoge.pdf
    • http://rachnayoga.com/uploads/1/3/0/5/130543256/32383c6.pdf
    • http://pianomethod.info/uploads/1/3/0/3/130379844/fexedegegezugere.pdf
    • http://pp-offer.info/uploads/2020/01/28/fuzakuzijeguru_darijomasaz_gujodos_kexefowalele.pdf
    • http://missionreality.weebly.com/uploads/1/3/0/4/130477533/zegopuduwasawez.pdf
    • http://zefe.nemcolombia.com/uploads/2020/01/28/mekuvofoxosos.pdf
    • http://nielsenrenovations.com/uploads/1/3/0/3/130379160/1898180.pdf
    • http://uic-vie.weebly.com/uploads/1/3/0/3/130324063/belapadiz.pdf
    • http://sportscomplexlv.com/uploads/1/3/0/5/130588244/wewexexox.pdf
    • http://benkregel.com/uploads/1/3/0/4/130475925/130475925.html#perfect+english+grammar+linking+words+contrast

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000017cc.bin
ffd976862d35f4397d2981a355c905687de509d531db7994dfb05c38e1f79604		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17CC 8408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.