Malicious PDF — malware analysis report

Static analysis result for SHA-256 f22f66c0371ea9e4…

MALICIOUS

PDF

45.3 KB Authoring application: Inkscape
MD5: db09ec75274cc348e817a15c123e695e SHA-1: 5aab9a7b3d37551234b3557e9ab7c6279f14cabd SHA-256: f22f66c0371ea9e4e27426fdf4ea4f9e7a8377d09c168d2144d831f5c62482d9
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This suggests a phishing or SEO poisoning attack. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically identified as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. The document body is heavily obfuscated and does not provide clear textual lures.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.neokundalini.org/uploads/1/3/0/4/130489527/3513601.pdf
    • http://www.gifter.website/uploads/1/3/0/7/130776616/3771687.pdf
    • http://petfindersquad.com/uploads/1/3/0/3/130323220/dc536.pdf
    • http://icetorchinteractive.com/uploads/1/3/0/3/130379060/redakugajetanaxot.pdf
    • http://woodlandswomensexpo.com/uploads/1/3/0/7/130775267/fijiki-nagasak-figasofogiz.pdf
    • http://rpluscreativesmy.com/uploads/1/3/0/6/130603855/9697013.pdf
    • http://ouachitavacation.com/uploads/1/3/0/6/130620693/kiviwemutadisuf.pdf
    • http://www.noworries-caretakers.com/uploads/1/3/0/4/130490665/zularekalafeja.pdf
    • http://mentok.net/uploads/1/3/0/6/130639889/xopoxetokebodeze.pdf
    • http://sleepvillecanada.com/uploads/1/3/0/2/130289734/zanikozefipugi-difujexu-vivawizukutakeb-gipebivapefuti.pdf
    • http://inkofficial.com/uploads/1/3/0/4/130490386/84ffbca4493.pdf
    • http://roosterpr.agency/uploads/1/3/0/5/130588614/6812227.pdf
    • http://valdeslife.com/uploads/1/3/0/5/130588559/dugila_xemamugad_varikiken.pdf
    • http://tessamuse.net/uploads/1/3/0/7/130739567/jukedonutez.pdf
    • http://betterbloodwork.com/uploads/1/3/0/7/130775365/6173330.pdf
    • http://myeclecticyoga.com/uploads/1/3/0/8/130813144/panobumofixuvi.pdf
    • http://jennycarroll.com/uploads/1/3/0/4/130476112/fawawovivagikut-xorizavej-tozebesitupulu-nikanerotexusut.pdf
    • http://secured.emetonline.org/uploads/1/3/0/8/130874121/8580956.pdf
    • http://zazzletools.com/uploads/1/3/0/5/130543468/1d356c772d.pdf
    • http://n2everything.com/uploads/1/3/0/4/130435893/lajaj.pdf
    • http://tracevilab.com/uploads/1/3/0/6/130622103/votid.pdf
    • http://www.draffanadvisoryservices.com/uploads/1/3/0/7/130739499/zopesenod_ropusamom.pdf
    • http://rejuvenatemedical.co.uk/uploads/1/3/0/2/130272902/9689913.pdf
    • http://nkq5a.slpny.com/uploads/1/3/0/5/130551324/130551324.html#imm+5257+pdf+en+francais
    • http://www.neokundalin

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004dc8.bin
68299372beb7674ad12406232c46cda1745ba7e1a174ea86fb7ae964c76b703e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4DC8 8340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.