Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb593e38fa4da7f7…

MALICIOUS

PDF

78.5 KB Authoring application: Scribus
MD5: 29de2531cf240e427fa516afda543bc3 SHA-1: 90c840b3c510d033cb6c1411f990dec29c956374 SHA-256: fb593e38fa4da7f773725ccceb1f376fb434bba14885b2f2d4534f4d9094dcb2
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded URLs pointing to other PDF files, a technique often used for SEO spam or to redirect users to malicious content. The ClamAV detection and ML classifier strongly indicate malicious intent. The document body, while heavily obfuscated, contains references to these URLs, reinforcing the link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tanishqspa.com/uploads/1/3/0/5/130589057/wusinugodonuriwe.pdf
    • http://bakedbounties.com/uploads/1/3/0/5/130588579/xinozoxosigokopo.pdf
    • http://peercard.net/uploads/1/3/0/6/130621867/kujosilemaxa.pdf
    • http://oaktreephotos.com/uploads/1/3/0/6/130621108/ca32cd9dfa5d99e.pdf
    • http://performx.shop/uploads/1/3/0/5/130588342/4998de.pdf
    • http://minischnauzerpuppiesnc.com/uploads/1/3/0/4/130488946/tetesasapigejavaxe.pdf
    • http://northcountrysuggieshop.com/uploads/1/3/0/7/130739751/2064780.pdf
    • http://townofgettysburg.com/uploads/1/3/0/4/130475932/5742591.pdf
    • http://nepservicesinc.com/uploads/1/3/0/4/130483213/lixivunazan_xozupegexa_vefunedu.pdf
    • http://beingself-centered.com/uploads/1/3/0/7/130776042/130776042.html#apostles+creed+catholic+meaning

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000133e.bin
bfbd06303b6fbfc73f8b2d594e9b7e83a92242b904c9b18c5440f4f80f2b1bbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133E 9872 bytes
font_01_sfnt_off0000cfe2.bin
3212dd9e44ef1692abb25ded9585cf0164f14e06ee4b0cb85ed7b192350fb389		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCFE2 19728 bytes
font_02_sfnt_off0000eb88.bin
1ea5210743785a3a9efd47f4b80002a1ca77289c1dfa1cd772d9f047393ccdcc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB88 9344 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.