Malicious PDF — malware analysis report

Static analysis result for SHA-256 d70e3feb22779f1f…

MALICIOUS

PDF

51.2 KB Authoring application: Karbon
MD5: e027d933fa687ad4946a9a49431d2e53 SHA-1: b2f01c39e6c90d1d8875c726026022195e3d4f96 SHA-256: d70e3feb22779f1f16825e43b05d1fbee0d1151dec97bc42eedf05280975e909
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical alert for a 'PDF_SEO_LINK_FARM' and a high ML score, indicating malicious intent. ClamAV also detected it as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body is heavily obfuscated, but the presence of numerous external PDF links suggests a phishing or SEO manipulation tactic. The primary purpose appears to be redirecting users to potentially malicious content hosted on various domains.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://parentsshopusa.com/uploads/1/3/0/4/130489351/mumasenazeve.pdf
    • http://kellypritchardhair.com/uploads/1/3/0/2/130289254/xuzapepatakaxiwafajo.pdf
    • http://mfengshui.com/uploads/1/3/0/7/130776617/4587351.pdf
    • http://qnek.net/uploads/1/3/0/6/130621305/162879.pdf
    • http://beesbizz.com/uploads/1/3/0/2/130272282/derofutefaw.pdf
    • http://paulforattleboro.com/uploads/1/3/0/6/130604666/mirej_dikabogirufu_fonozidivowolad_mefexik.pdf
    • http://mrsseamonsclass.com/uploads/1/3/0/6/130621698/videp.pdf
    • http://tzaddi.net/uploads/1/3/0/5/130588744/sixazu_mamadiwos_nebopoda.pdf
    • http://bellevistaassistedliving.com/uploads/1/3/0/2/130289346/tonimali.pdf
    • http://room212productions.com/uploads/1/3/0/2/130287506/80fc4.pdf
    • http://adoptme.info/uploads/1/3/0/6/130604434/130604434.html#atomic+absorption+spectrometry+ppt

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012ab.bin
7bb6786c4eca380c0203672be8c77022f7ae8b564f406c129abccb42149740c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12AB 9024 bytes
font_01_sfnt_off00008eea.bin
bb46f44250fe64fa227dfa22b797df6881be5316da04ce10ac221f390735fba4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EEA 1744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.