Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8a6f3b2f2ae6fef…

MALICIOUS

PDF

37.4 KB Authoring application: Karbon
MD5: c557d2c008d8899bdd4e27d2d5dd344c SHA-1: 63e2e4760f22d434d0ab65e9f331e94ac01d0f02 SHA-256: c8a6f3b2f2ae6fef3218d3c458ddd4781e6d4c4d178fc86f50f0f6ac129e3210
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of embedded URLs, forming a link farm. These URLs predominantly point to other PDF files hosted on various domains, suggesting a distribution mechanism for further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theconnectionsacademy.net/uploads/1/3/0/5/130588505/mapebaxixib_mepefosux_jinataj_papapewumuk.pdf
    • http://blzzr.com/uploads/1/3/0/5/130543536/bepamolofamotivunem.pdf
    • http://mtymielikki.fi/uploads/1/3/0/2/130273571/acdcf07cfa.pdf
    • http://betawilloughby.com/uploads/1/3/0/2/130273993/guditarulugeri-dimili-refotumetesog-wifubiwipekejo.pdf
    • http://zakitima.alianzaamericanadecolombia.com/uploads/2020/01/29/9f4ea.pdf
    • http://nadinebrockel.de/uploads/1/3/0/5/130588221/169876476e479.pdf
    • http://yorkshirecajun.com/uploads/1/3/0/2/130270905/2631600.pdf
    • http://everettgroupconsulting.com/uploads/1/3/0/3/130379504/zalunem-kilefizojudi-rutetovoto.pdf
    • http://skylinesjewellery.com/uploads/1/3/0/6/130620619/1467396.pdf
    • http://mymissblue.com/uploads/1/3/0/5/130551375/130551375.html#bloons+td+3+hacked

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000140c.bin
413becbbf1f19f8bddda0a85e0d6874edb9e86d41e203140d71974ddeb048237		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140C 8308 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.