Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb682f889a5d61c8…

MALICIOUS

PDF

52.6 KB Authoring application: GIMP
MD5: 352ce6ee295b977d987260f28c0c945f SHA-1: a525501239b551908d7cc929912caa27c4124408 SHA-256: cb682f889a5d61c86053c2b2993b23e134fd82980b9192b9df35bbe543520c76
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO manipulation or to distribute further malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body contains garbled text and a reference to a URL, further supporting the malicious nature of the file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rabbitmountainlavender.com/uploads/1/3/0/7/130740260/xekofaxopuwibiv.pdf
    • http://openarmsmarket.com/uploads/1/3/0/6/130639699/buzumotozume.pdf
    • http://sarfa.org/uploads/1/3/0/7/130776498/zunadenebafese.pdf
    • http://chaiyee.com/uploads/1/3/0/7/130739906/6857cb.pdf
    • http://coachmicheleatl.com/uploads/1/3/0/5/130541662/131239.pdf
    • http://www.rentrite-ak.co.nz/uploads/1/3/0/4/130489149/c33bb3b8809e69e.pdf
    • http://homeselectionrd.com/uploads/1/3/0/9/130969391/8308507220.pdf
    • http://lipstickliberalnetwork.net/uploads/1/3/0/5/130589187/3079025.pdf
    • http://dallasoliver.com/uploads/1/3/0/8/130873784/1239926.pdf
    • http://nobleworkshumorcards.net/uploads/1/3/0/8/130813705/munubunefu_wugijat.pdf
    • http://butlersemporium.net/uploads/1/3/0/6/130620510/fikajulofo_sijemekoselub_banimu.pdf
    • http://thesouthernapparel.com/uploads/1/3/0/5/130589133/e02980219be00a3.pdf
    • http://davewalcott.com/uploads/1/3/0/6/130621376/8113986.pdf
    • http://marijuanavaping.net/uploads/1/3/0/2/130273617/6540429.pdf
    • http://www.wirtschaftsdemokratie.net/uploads/1/3/0/2/130271214/pewisizekuvix.pdf
    • http://www.chocolaticity.net/uploads/1/3/0/7/130739026/130739026.html#eichmann+in+jerusalem+a+report+on+the+banality+of+evil+quotes

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f90.bin
d85bf7aae2d40ec8705c62ec84855066461091248e0ce44044872694a580c219		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF90 8896 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.