Malicious PDF — malware analysis report

Static analysis result for SHA-256 cb81ea064358a44f…

MALICIOUS

PDF

33.6 KB Authoring application: Scribus
MD5: e981f5b601be2948214349e25107bd66 SHA-1: 54005dace578672749de518420feb62fc24e9514 SHA-256: cb81ea064358a44f87bc69a6ac5e9f242e7569a8049440932408029a78d5761f
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified as a link farm. The ClamAV detection and ML classifier strongly indicate malicious intent, specifically phishing or traffic redirection. The embedded URLs are likely used to distribute further malicious content or to manipulate search engine rankings.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://applemoshberry.com/uploads/1/3/0/5/130588588/sipel.pdf
    • http://ellaayalon.org/uploads/1/3/0/7/130739116/8056163.pdf
    • http://callanjames.co.nz/uploads/1/3/0/2/130289693/gefeworeje-veloduraxa-pizobunegavobed-rakaf.pdf
    • http://shopity.host/uploads/1/3/0/6/130620557/0ac9a2b8e4f.pdf
    • http://millyproducts.com/uploads/1/3/0/2/130291922/lupiwezawuwoweseg.pdf
    • http://onestoneworks.com/uploads/1/3/0/5/130539584/8eb4e067a.pdf
    • http://chartspanemployer.com/uploads/1/3/0/5/130544672/dudugub-bipitokip-wewewoz.pdf
    • http://apeculiarthud.com/uploads/1/3/0/3/130313529/buvoxufi-votirepo-xeweludepus.pdf
    • http://thewell-seasonedwoman.com/uploads/1/3/0/6/130603698/9d281b6.pdf
    • http://charlestonmanufacturingcenter.com/uploads/1/3/0/2/130289338/xujovaxowepufo.pdf
    • http://destinationweddingsbigisland.com/uploads/1/3/0/7/130775722/9a77d4326f.pdf
    • http://2196eh.salon225.com/uploads/1/3/0/5/130588501/130588501.html#yoga+exercises+for+lower+back+herniated+disc

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00002d4d.bin
8235f3735891abf9ba163a4602fb9c0ae2a064143ac1d4f460f3aab9cf3d2d40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2D4D 7440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.