Malicious PDF — malware analysis report

Static analysis result for SHA-256 f831977744e1f71f…

MALICIOUS

PDF

52.5 KB Authoring application: Inkscape
MD5: ede6b708b416df503f9cbdbb23b6cd0c SHA-1: 3c1eb3a061167eee2eb9e7192ea4f2669f6b6607 SHA-256: f831977744e1f71f99ac3a64a32dd9bb6c7e2a6312d7ce9a7488f0f83e5941d3
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links to other PDF files, a technique commonly used for SEO poisoning to drive traffic to malicious sites. The ML classifier and ClamAV detection strongly indicate malicious intent, likely related to phishing or malware distribution. The embedded document body, though heavily obfuscated, mentions 'simple interest and compound interest', suggesting a lure to entice users to click the links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://revistathesaurus.gov.co/uploads/1/3/0/4/130488891/jasom.pdf
    • http://modernretailcollective.store/uploads/1/3/0/4/130489331/2848096.pdf
    • http://phhlca.org/uploads/1/3/0/4/130488820/juzonogilubiwixo.pdf
    • http://boutiquenanamoda.com/uploads/1/3/0/3/130313203/560dbf77ecdfe.pdf
    • http://iloveharvest.com/uploads/1/3/0/4/130488810/2972178.pdf
    • http://elysianresources.us/uploads/1/3/0/6/130604860/8357014.pdf
    • http://insideosuokc.net/uploads/1/3/0/7/130739099/xititog-suxezalejeni.pdf
    • http://xtoid.com/uploads/1/3/0/3/130323164/dufeweneg-kovapakelukevi-rudebojimebun.pdf
    • http://carpentersbirmingham.com/uploads/1/3/0/6/130621776/dirug.pdf
    • http://cpanel.intellectandcreativity.com/uploads/1/3/0/2/130270957/62405.pdf
    • http://elisamurphyforjudge.com/uploads/1/3/0/2/130288864/nezasodo.pdf
    • http://idforensics.net/uploads/1/3/0/7/130739542/3611411.pdf
    • http://notionsbynonna.com/uploads/1/3/0/6/130620427/200949e02f.pdf
    • http://mesastreetmercantile.com/uploads/1/3/0/4/130483809/9875574.pdf
    • http://minnesotahistorymuseums.org/uploads/1/3/0/6/130640094/fovotutoki_vofosap_tafit_sesubolijijunak.pdf
    • http://fby4.com/uploads/1/3/0/5/130542924/252856.pdf
    • http://cobylight.com/uploads/1/3/0/6/130604729/46d5f4d.pdf
    • http://fuzzymath.org/uploads/1/3/0/4/130476351/8359538.pdf
    • http://arcsurgery.org/uploads/1/3/0/7/130739993/6542640.pdf
    • http://ssbcmarketing.com/uploads/1/3/0/6/130621622/xukabetebojino.pdf
    • http://joyofphysics.com/uploads/1/3/0/8/130813644/130813644.html#how+to+calculate+simple+interest+and+compound+interest+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000520c.bin
0e3d1b362e3bd699ed25d18a85760bd8b1a20e1a8765863a3a308d0900580e64		 pdf-font-stream PDF embedded font (sfnt) at offset 0x520C 16100 bytes
font_01_sfnt_off00006a43.bin
3c4bce37bcb4490f8d1072b62a858cc9b34629b101f974ba2fbec6f20cb92e25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A43 9488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.