Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1751e35a312149c…

MALICIOUS

PDF

47.2 KB Authoring application: Karbon
MD5: 9718edf1dbc8aa7f49ade7b0cbd54b14 SHA-1: 2576244b8f251ccc4a6761690df5e7b95f1ef0cc SHA-256: f1751e35a312149c0097efb955f961d23d541ec848aa341b64c4c3a73144e924
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO manipulation tactic. The ML classifier and ClamAV detection strongly support the malicious nature of the file. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine the exact lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rockthecatspa.biz/uploads/1/3/0/7/130776132/8931437.pdf
    • http://mistymacal.com/uploads/1/3/0/4/130477126/fuvokubix-tofefejewanoval-liguvit-nilamufu.pdf
    • http://annmariebagge.com/uploads/1/3/0/4/130477839/lekaluw.pdf
    • http://ladoniaherald.net/uploads/1/3/0/6/130621628/2067097.pdf
    • http://massagetherapysc.com/uploads/1/3/0/5/130551468/4481968.pdf
    • http://hipsterleaks.com/uploads/1/3/0/2/130274282/gumelowunofovu.pdf
    • http://nghomeimprovment.com/uploads/1/3/0/2/130271042/328602b9a404da.pdf
    • http://cecilyeiferle.com/uploads/1/3/0/5/130544387/130544387.html#best+educational+apps+for+5th+graders

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011b8.bin
9c2c3a7f6be3923eb07d2b4d4392a88943fed4282bfa7f2c6eef5add15cad968		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11B8 9180 bytes
font_01_sfnt_off0000615f.bin
322701f1f7ce52f1e2c270a0bb3090cbbccd2613e2548c816e08e746c3346379		 pdf-font-stream PDF embedded font (sfnt) at offset 0x615F 16344 bytes
font_02_sfnt_off00007685.bin
0883ce35338f5337c105894e95a32b7f52641d9dd7bddbc229b9dee1c0d21b8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7685 5900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.