Malicious PDF — malware analysis report

Static analysis result for SHA-256 d309f096066d3daf…

MALICIOUS

PDF

58.3 KB Authoring application: Inkscape
MD5: a997c0eb9181082532008539042d676a SHA-1: e492391668e7ec420a03526c38389fd28b0c23a8 SHA-256: d309f096066d3dafef9762455cf8112a1bfd43c6bf5b978ca281ead314f5424b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule, indicating it contains a mass of external links. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output further support its malicious nature. The embedded URLs are likely part of a phishing or traffic redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://miquelroig.com/uploads/1/3/0/7/130776126/nigokifaza.pdf
    • http://ivjournal.net/uploads/1/3/0/5/130588239/kejetomasofif.pdf
    • http://nbjonline.com/uploads/1/3/0/8/130874544/nuwoluwalovijem.pdf
    • http://monstermaniagame.com/uploads/1/3/0/8/130874289/vudowo-bedej.pdf
    • http://larazgourmet.com/uploads/1/3/0/9/130969910/gatil.pdf
    • http://www.appliancetone.com/uploads/1/3/1/0/131070137/78522de8f4a.pdf
    • http://heytherevalerie.com/uploads/1/3/0/8/130814516/jezubaro-mevado-xepisobalewixe.pdf
    • http://www.zenith.fitness/uploads/1/3/0/8/130814408/5930748.pdf
    • http://newtrailpioneer.com/uploads/1/3/0/3/130379141/8041396.pdf
    • http://modtran8.net/uploads/1/3/0/5/130588620/zuzomebono.pdf
    • http://resonaut.com/uploads/1/3/0/4/130476778/vexitejuwidumidomi.pdf
    • http://icbrconference.org/uploads/1/3/0/5/130551718/savejoxixexor.pdf
    • http://edcollaborations.org/uploads/1/3/0/8/130813362/rajisofes.pdf
    • http://www.day01wapparelgoods.com/uploads/1/3/0/5/130550785/nojedepa.pdf
    • http://supplychaingroup.biz/uploads/1/3/0/5/130589297/b24afc2d825558.pdf
    • http://mudgleyholidayhouse.com/uploads/1/3/0/7/130776025/gazofaz_fekev_kebig_xinajova.pdf
    • http://tempestbeautyllc.com/uploads/1/3/0/4/130489361/luguged-savodesuwuronu-dipanopo.pdf
    • http://sherpasolutions.com/uploads/1/3/0/5/130588221/5191216.pdf
    • http://misssampson.com/uploads/1/3/0/5/130545742/xesinimi.pdf
    • http://aplusvictoryproducts.com/uploads/1/3/0/6/130604213/gojuvaza.pdf
    • http://www.dreamplacebedding.com/uploads/1/3/0/5/130590243/cc4b722b3c13190.pdf
    • http://lal.dealmaking.org/uploads/1/3/0/6/130620547/pagoxiwodiwotej.pdf
    • http://www.prologixsa.com/uploads/1/3/0/5/130551621/7118697.pdf
    • http://nativenationarts.com/uploads/1/3/0/5/130551750/5240351.pdf
    • http://livelovecannabis.com/uploads/1/3/1/0/131071067/131071067.html#names+of+non+flowering+plants+with+pictures

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001701.bin
7ea1feb65bac3df4d5c7284bf29f04a651537726dcabca315371df70202cae5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1701 7732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.