Malicious PDF — malware analysis report

Static analysis result for SHA-256 d596128e57042bd4…

MALICIOUS

PDF

46.1 KB Authoring application: Inkscape
MD5: 0e425c3adcdd3243c40fe3d64d5a46a5 SHA-1: 3e0a5f31b1ab26d7f7c6732bb941dbc4ec96afa7 SHA-256: d596128e57042bd4e861d8cc2f1e61ba229e677a8e2f06eaad1aed749c58887c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content, as flagged by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection and ML classifier further support the malicious nature of this file. No scripts were extracted from this sample, and the document body content is largely unreadable, making it difficult to determine the exact lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kittoconsultancy.com/uploads/1/3/0/6/130621201/c67548.pdf
    • http://nicolehamilton.com.au/uploads/1/3/0/2/130289205/86eb4b538624.pdf
    • http://mountainandocean.org/uploads/1/3/0/4/130476050/tutador-pebejodixet-zumiwaj.pdf
    • http://whitebalancephotography.com/uploads/1/3/0/4/130435601/7363435.pdf
    • http://mediacast365.com/uploads/1/3/0/2/130273842/8295913.pdf
    • http://medicalplasticmolding.net/uploads/1/3/0/6/130620619/memun.pdf
    • http://zonawear.shop/uploads/1/3/0/8/130874613/9679980.pdf
    • http://hostmaster.exercise4happiness.com/uploads/1/3/0/6/130620564/9702548.pdf
    • http://slukappasigma.com/uploads/1/3/0/8/130814856/7627607.pdf
    • http://thewardrobesquad.com/uploads/1/3/0/5/130546645/gimujidugumunaf.pdf
    • http://vernalinzey.com/uploads/1/3/0/5/130551198/73035ccbe.pdf
    • http://buycommercialplaygrounds.com/uploads/1/3/0/7/130775768/4905106.pdf
    • http://alexantic.com/uploads/1/3/0/7/130775762/guxezuxuno_lamuxapan.pdf
    • http://whiskeyandwine.net/uploads/1/3/0/5/130545581/9fa08fcaf71f0.pdf
    • http://adsgroup-wines-food.com/uploads/1/3/0/3/130324324/8783031.pdf
    • http://scstrees.org/uploads/1/3/0/7/130738875/lapomowisifo.pdf
    • http://www.macsearch1.com/uploads/1/3/0/8/130874266/dc9cacc671c6d.pdf
    • http://www.hollandhomesnw.com/uploads/1/3/0/6/130639768/kobukaninudaxik-foxotidoj-zakilarefa-ferukibizop.pdf
    • http://mrorejel.info/uploads/1/3/0/2/130288307/e3cde0411.pdf
    • http://axistenceadventureacademy.com/uploads/1/3/0/2/130289453/jukef_xugavaneto_rijemevowogow.pdf
    • http://cpanel.jessicamiyuki.com/uploads/1/3/0/4/130483520/130483520.html#alfabeto+e+numeros+em+braille+para+imprimir

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000038f4.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x38F4 16204 bytes
font_01_sfnt_off00005186.bin
d0bc3f479b0b69bb93d0bdeb972d8cdceab7e35aee3619f42a06bde44e74505c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5186 10756 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.