Malicious PDF — malware analysis report

Static analysis result for SHA-256 cc95b2928281831e…

MALICIOUS

PDF

47.3 KB Authoring application: Scribus
MD5: 08c387145c4d5e0e05e9b613ae26fda1 SHA-1: f1ab8034342e048a978d2fc7f9ef4d8cb8779b6c SHA-256: cc95b2928281831e3a1bcfbb0ced55bc50457f5a622ae9b5df2226e00c3cfb51
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection for Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body, though heavily obfuscated, contains references to Scribus and game guides, likely a lure. The primary malicious activity appears to be the embedding of a large number of external links, with the intent of redirecting users to potentially malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://foxopivun.weebly.com/uploads/1/3/0/4/130488810/3427878.pdf
    • http://monicaariasmiranda.com/uploads/1/3/0/6/130639643/06549.pdf
    • http://pad.brooklynmen.com/uploads/2020/01/28/e9bead6.pdf
    • http://pekam.su/uploads/2020/01/27/3cdce73ea4c.pdf
    • https://sidunabu.weebly.com/uploads/1/3/0/4/130476413/a0dc9fcf6bb4ab.pdf
    • https://galunikavo.weebly.com/uploads/1/3/0/2/130289355/wavavugadalive_nijonelidoludiz_xesokifazuzodan_wolifamamexo.pdf
    • http://muje.lourika.ru/uploads/2020/01/28/7976054.pdf
    • http://bebrave.studio/uploads/1/3/0/2/130291507/7115736.pdf
    • http://magazz3.fun/uploads/2020/01/28/8597470.pdf
    • http://khvalov.info/uploads/2020/01/29/neduxunogujed_fuputo_mazodupofi_jodefefip.pdf
    • http://thestarvingcollegekid.com/uploads/1/3/0/4/130478347/nozerotezeragobula.pdf
    • http://questswim.com/uploads/1/3/0/6/130621588/5298d0fb1f0.pdf
    • http://crystalrenes.com/uploads/1/3/0/2/130289748/gadegevig.pdf
    • http://mulefuw.bluetp.com/uploads/2020/01/27/jipewelolinegep-wuwixosaro.pdf
    • http://southernrugs.com/uploads/1/3/0/5/130588157/3712179.pdf
    • http://koloman.dawhdsads.icu/uploads/2020/01/28/c542056a.pdf
    • http://pakalolochocolate.com/uploads/1/3/0/6/130639511/pivoworubuwekub.pdf
    • http://bellastar.net/uploads/1/3/0/2/130288002/levuwujiz_gidig_xetup_poluwo.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/6/130639034/130639034.html#janna+guide+pro+builds

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001577.bin
4eae64c1e4d1a62c5427c1fe2201e98fadabbcb680df6d6463b24a1fe8a03d54		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1577 9100 bytes
font_01_sfnt_off00006568.bin
6db2f878e0fd57d3a351d0d81a5ccd7b58f68df6728dadc3aee3ebeb1a1d6e60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6568 16068 bytes
font_02_sfnt_off00007990.bin
292881d548b51020aa31d41489134d81da30664c0578bf5a0ea64e28eb1da6c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7990 4136 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.