Malicious PDF — malware analysis report

Static analysis result for SHA-256 ee63d1bccdb15110…

MALICIOUS

PDF

50.1 KB Authoring application: Scribus
MD5: afa0781d5962aa1c50babcb3b0c81de0 SHA-1: 3e67c8fc2d3024ef5db473a85d656e73bb448a2b SHA-256: ee63d1bccdb15110570cc130934838da0a0881841dde5f5c127a8cd901e2856b
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The critical PDF_SEO_LINK_FARM heuristic indicates a large number of embedded external links, with the primary domain being mythbay.com. This suggests the document is designed to redirect users to potentially harmful content, likely for phishing or malware distribution. The presence of these links is the primary driver of the malicious classification.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mythbay.com/uploads/1/3/0/4/130435777/vigojuvu.pdf
    • http://cutleryclubofamerica.com/uploads/1/3/0/4/130476407/mojerenewoxo.pdf
    • http://commercialcompliance.com/uploads/1/3/0/2/130291478/2753969.pdf
    • http://createlikegod.com/uploads/1/3/0/4/130476564/pulakagowadurad.pdf
    • http://baijingbox.com/uploads/1/3/0/2/130272610/lopuvovakuk.pdf
    • http://pioneerwinecolorado.com/uploads/1/3/0/6/130620871/4773309.pdf
    • http://white-poppy.com/uploads/1/3/0/6/130621841/naxolu.pdf
    • http://412catawba.com/uploads/1/3/0/2/130270901/5595586.pdf
    • http://comunicazionequantistica.com/uploads/2020/01/28/e8e419.pdf
    • http://gomriz.com/uploads/1/3/0/5/130541073/130541073.html#ripple+guide+service+facebook

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011ce.bin
085a4c89b0c087103779acb8181bfd0d9d17151c9f039037d98b9c82ce8e215d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CE 8596 bytes
font_01_sfnt_off000074da.bin
f7d513021527e27f39899f513e39a52449729ebbfacf57c0c89984821ae452dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74DA 13208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.