Malicious PDF — malware analysis report

Static analysis result for SHA-256 fa96a03a33d5303a…

MALICIOUS

PDF

45.1 KB Authoring application: Inkscape
MD5: e594bb220e0300a89b1dff6bfbd005aa SHA-1: b14965995ca00e6b77b06155cfeae8f385916783 SHA-256: fa96a03a33d5303a3fcce0386217098d0df8a700301f905a4b425ce857c5c409
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files hosted on various domains. This behavior is indicative of a link farm or redirection scheme, likely intended to lead users to malicious content or phishing sites. The ClamAV detection and ML classifier further support the malicious nature of this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://severedthumbsart.com/uploads/1/3/0/4/130435548/ff9ad.pdf
    • http://battnetwork.com/uploads/1/3/0/6/130604240/1ad21796ce20.pdf
    • http://propoffice.net/uploads/1/3/0/2/130272414/c90372fd.pdf
    • http://chinasummercamp.org/uploads/1/3/0/6/130604646/2454301.pdf
    • http://keysboatdocks.com/uploads/1/3/0/6/130639990/2355846.pdf
    • http://geowims.com/uploads/1/3/0/6/130620168/jitalisubef.pdf
    • http://mhhc2.weebly.com/uploads/1/3/0/5/130551137/4371193.pdf
    • http://mplusjclothing.org/uploads/1/3/0/6/130603740/891ce1b3d0.pdf
    • http://sweetestdreams.org/uploads/1/3/0/7/130775232/130775232.html#ielts+flow+chart+vocabulary

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001146.bin
102601ff8827ab80477adc641dd15c5a7a8a5543a27f56faad882c8eaf62d788		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1146 8232 bytes
font_01_sfnt_off00006123.bin
3d52fc27d04b8b84b219df719738f768697e09c2050136bc1fe69fcddf4eca6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6123 2652 bytes
font_02_sfnt_off000069ee.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69EE 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.