Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3f8bb70aba4ebb4…

MALICIOUS

PDF

71.3 KB Authoring application: Karbon
MD5: f46bfc072210cbd42b8281cf52a57152 SHA-1: bf27c38a8c49dfab8d0b6f5eae8c6539cc7b1dfd SHA-256: d3f8bb70aba4ebb40e976a71d5b6923ea6b681d4e822e8e82a5a4f16c245c343
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, a technique often used for SEO poisoning or to redirect users to malicious content. The ML classifier and ClamAV detection strongly indicate malicious intent. The document body, though heavily obfuscated, contains references to 'GTA online solo money glitch', suggesting a lure to a scam or phishing site.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9614

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amadorah.com/uploads/1/3/0/2/130274097/7845356.pdf
    • http://laketravischeerleading.com/uploads/1/3/0/8/130814345/3610069.pdf
    • http://learnmormonfacts.com/uploads/1/3/0/2/130273626/ludoxotafore_tefivoronexo.pdf
    • http://top20wordpress.com/uploads/1/3/0/7/130775922/wivinezopo_woguwede.pdf
    • http://seedhybridchecker.com/uploads/1/3/0/6/130621272/7885693.pdf
    • http://cameliascandles.org/uploads/1/3/0/8/130814559/xaxajulekaxim.pdf
    • http://kingscredit.org/uploads/1/3/0/2/130289649/vufomeros.pdf
    • http://ticketfree.net/uploads/1/3/0/4/130476722/3276800.pdf
    • http://microtiasurgery.net/uploads/1/3/0/5/130545185/letadufifiloxavijaw.pdf
    • http://definitest.com/uploads/1/3/0/5/130551518/6758812.pdf
    • http://coolboymusic.us/uploads/1/3/0/3/130323174/bevowusijilo_malizezufirer.pdf
    • http://referenceobscura.com/uploads/1/3/0/7/130740513/2467574.pdf
    • http://lltraininginstitute.net/uploads/1/3/0/4/130436080/jebotizijitotajop.pdf
    • http://bevingroup.com/uploads/1/3/0/5/130543155/8f8aae8190aab5.pdf
    • http://moretonislandfishingcharters.com/uploads/1/3/0/5/130550835/4300756.pdf
    • http://migrantliteraturejournal.com/uploads/1/3/0/8/130874237/9d83580.pdf
    • http://fitrition.com.au/uploads/1/3/0/6/130605509/vexakevu_jijopibumam.pdf
    • http://caseyahodges.com/uploads/1/3/0/7/130776520/wajiwokuwolemuduzu.pdf
    • http://steambrush.store/uploads/1/3/0/7/130775727/tusuvapimilol.pdf
    • http://mx.ozaukeemob.com/uploads/1/3/0/4/130476342/680e413ac12.pdf
    • http://tabletopleague.com/uploads/1/3/0/7/130740249/jibav-zumolekef.pdf
    • http://www.fireflyfinishes.com/uploads/1/3/0/7/130739139/bodelubetifonozuz.pdf
    • http://www.jayvapejuice.com/uploads/1/3/0/7/130776814/292b431f956.pdf
    • http://narkolepsy.com/uploads/1/3/0/5/130590457/e84714bf5bd9.pdf
    • http://q7vln.bpmtc.com/uploads/1/3/0/3/130379285/130379285.html#gta+online+solo+money+glitch

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003563.bin
7e5312fda6b24330909bbcb6a3609ed96846913a1fbad71d278dc024efcd431b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3563 4560 bytes
font_01_sfnt_off0000460d.bin
2458ba89e5c8f541e63ad722bff5e42770361967c5dfc3e23d0abb82687fd065		 pdf-font-stream PDF embedded font (sfnt) at offset 0x460D 6108 bytes
font_02_sfnt_off000054d8.bin
286aa36ebf0a2d7650e746a81b2089eaffea88e6fe1688e4a8cd5bbf5e4809a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54D8 17048 bytes
font_03_sfnt_off00006ca4.bin
7c596b2ffc1d5e3f2bbd1ab574ed3407dea3527302d56e5708ff1d9b79c3516e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CA4 3692 bytes
font_04_sfnt_off0000789d.bin
80b4eb032445293706c027062d2084c22484dd747c1fdd9074cdb67583d80c20		 pdf-font-stream PDF embedded font (sfnt) at offset 0x789D 9652 bytes
font_05_sfnt_off00008c82.bin
6cb8c69a73ca37f123a3524207e14eba5df24d3a7f786e9f53d2cfc26fc889c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C82 4268 bytes
font_06_sfnt_off00009983.bin
e87945f563ed4338457c3697baa495c880e85ab5740bf3d67208e382aadc6c23		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9983 9872 bytes
font_07_sfnt_off0000af7b.bin
d93027bbed04bb3c760a00843e01a5f6abefb5527ee66b8ca3cb147fa321c4c9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAF7B 9264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.