Malicious PDF — malware analysis report

Static analysis result for SHA-256 f21f62bf9197bea0…

MALICIOUS

PDF

32.0 KB Authoring application: Karbon
MD5: d66b59f4ae2ba21aa7ff76e4ae870941 SHA-1: 91a7d313e039a3e5d90e62a643b40e8872eef005 SHA-256: f21f62bf9197bea05f20f1dbf2b5af43738bbe042ffedffc19143a4fa16473b0
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including a critical PDF_SEO_LINK_FARM rule and ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0. The document body contains numerous embedded URLs, all pointing to external PDF files hosted on various domains. This suggests a phishing or SEO spam campaign designed to redirect users to potentially malicious content or to artificially inflate search engine rankings. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.shellylyoung.com/uploads/1/3/0/3/130323522/nesevesamo-gigasigu-kirumuji-xomekenozi.pdf
    • http://kalaman.net/uploads/1/3/0/5/130590375/sewipatemur-getizirek-velowexifofif-wuvovadiroxama.pdf
    • http://doverashop.com/uploads/1/3/0/6/130639417/5269219.pdf
    • http://fermentedspirits.com/uploads/1/3/0/5/130551144/bigetewigosa.pdf
    • http://veterinarycompounding.net/uploads/1/3/0/5/130543054/a4985768106162e.pdf
    • http://vendeseempresas.com/uploads/1/3/0/6/130604632/madunudajap.pdf
    • http://ccescort.com/uploads/1/3/0/5/130538870/886602.pdf
    • http://tullygreen.com/uploads/1/3/0/5/130538931/4023741.pdf
    • http://nanlaird.com/uploads/1/3/0/7/130739564/kinopudij.pdf
    • http://thefishingday.com/uploads/1/3/0/3/130323957/8c2ea.pdf
    • http://ooredoogroup.net/uploads/1/3/0/4/130489051/5698032.pdf
    • http://jaylastrada.com/uploads/1/3/0/2/130272524/xubabanawolapag-xavewimigoj.pdf
    • http://numberandcognition.com/uploads/1/3/0/7/130739930/betexa-bimuzudiviwuxan-rorur-banaf.pdf
    • http://northshorebostonrealtor.com/uploads/1/3/0/5/130590157/8289027.pdf
    • http://puzzlemonkeysolutions.com/uploads/1/3/0/6/130621954/9903136.pdf
    • http://wrapbros.us/uploads/1/3/0/7/130775522/tewavujapi_tixojukarike_padomonuwoj.pdf
    • http://torrezion.com/uploads/1/3/0/5/130538839/622703.pdf
    • http://nymaninc.net/uploads/1/3/0/3/130313436/wuwipekodenuw.pdf
    • http://irrj9w.salon225.com/uploads/1/3/0/8/130873902/130873902.html#dinamani+chennai+news

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001f08.bin
b7a53121c401f7fd59a88c0c08044447ccb11249842cc849103a9abe2017308a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F08 7872 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.