Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5e9e578f386a10c…

MALICIOUS

PDF

51.7 KB Authoring application: Inkscape
MD5: aac33fb2dfb6d87e603925d77a12f782 SHA-1: c299f4e261b49ed5ae7f27cd0b180cca90dba529 SHA-256: c5e9e578f386a10c4a03bb279026e0fdb4088ee3e8d0bfbe17eaa002b4540e3a
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0 and a machine learning classifier indicated a high probability of maliciousness. The document body contains a large number of embedded URLs, consistent with a link farm designed to redirect users to malicious sites. The heuristic PDF_SEO_LINK_FARM specifically identifies this pattern, suggesting the document's primary purpose is to facilitate traffic to these external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shelleycorr.com/uploads/1/3/0/5/130588570/c94a938.pdf
    • http://joannalingnau.net/uploads/1/3/0/7/130738945/pigetirasarusexe.pdf
    • http://kov.mariocoin.ru/uploads/2020/01/27/03838e3125d28.pdf
    • http://rap-stolica.weebly.com/uploads/1/3/0/4/130483591/milesasap.pdf
    • http://mylarkapparel.com/uploads/1/3/0/2/130291029/764babb.pdf
    • http://mywonderowl.com/uploads/1/3/0/4/130478772/dikatotu-wejalelimesiman-liwiwaper.pdf
    • http://majim.laritelle.info/uploads/2020/01/28/589c5.pdf
    • http://bdmchallenge.com/uploads/1/3/0/5/130590481/zupugogu-lapovijes-jeniburis.pdf
    • http://nikkiwetherellcounseling.com/uploads/1/3/0/5/130588754/xavegaguwilawufil.pdf
    • http://paparazziservices.com/uploads/1/3/0/4/130477249/8021559.pdf
    • http://caqrecords.com/uploads/1/3/0/5/130590654/35c560d6.pdf
    • http://nobuhotelriyadh-fullsite.devsite-1.com/uploads/1/3/0/6/130639410/130639410.html#cbse+improvement+exam+2020+form+filling+date

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ab.bin
4525618c10399e7bb9d45349df0044414bf5a83eaf4ac9295bce76077950c7ec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AB 8084 bytes
font_01_sfnt_off00006edf.bin
5d7ebd720715cd86529581f1d40cc643f68465477bd430d4be5ff736bc95f798		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EDF 16268 bytes
font_02_sfnt_off0000845b.bin
e661e76f29eae60f84c272f10a739872f6f5b20c21adcc74f574f1ac64621015		 pdf-font-stream PDF embedded font (sfnt) at offset 0x845B 7692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.