Malicious PDF — malware analysis report

Static analysis result for SHA-256 46f68f047b01739f…

MALICIOUS

PDF

43.0 KB Authoring application: Karbon
MD5: 734012022a79194f30da7f812be67f0b SHA-1: 73afcd3583ff45d1087af2aee74b2509ce875b74 SHA-256: 46f68f047b01739fb307504eff619194d5a1cf3580d09f9057e426977b9f82bc
160 Risk Score

Malware Insights

MITRE ATT&CK
T1059 Command and Scripting Interpreter

The PDF document contains a heuristic firing for a clipboard command lure, instructing the user to paste content into a shell. It also exhibits a PDF SEO link farm, with 31 external PDF links, many pointing to suspicious domains. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a malicious classification. The primary intent appears to be social engineering to trick the user into executing commands, possibly to download further payloads.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Clipboard command execution lure high SE_CLIPBOARD_COMMAND_LURE
    Document tells the user to copy or paste clipboard content into Run, PowerShell, cmd, or another shell-like execution context
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xala.chama.site/uploads/2020/01/28/e190a.pdf
    • http://woro.lider-fruits.ru/uploads/2020/01/29/9093499.pdf
    • http://nabug.copyrightcontact-10000642147218.com/uploads/2020/01/27/5878664.pdf
    • https://patogadinom.weebly.com/uploads/1/3/0/4/130483703/nalekip_tazus_negorakebe_wuper.pdf
    • http://voze.mnekak.pro/uploads/2020/01/29/kididepogutekibigovi.pdf
    • http://sejaderiri.festivalweer.com/uploads/2020/01/28/5943876.pdf
    • http://pane.bestjournal.ru/uploads/2020/01/28/kifijaxotatu-favosivajo-kuxomizubumi.pdf
    • http://golosovanie-vlg-model.online/uploads/2020/01/28/foxirexivadorig.pdf
    • http://mulukaga.tvpays.ru/uploads/2020/01/28/c92ba.pdf
    • http://fegosola.sverhpotok.com/uploads/2020/01/27/16351.pdf
    • http://silane-guard16.ru/uploads/2020/01/27/rasupavunatav-lazoluguramu.pdf
    • https://lemigipitedugi.weebly.com/uploads/1/3/0/4/130435562/62bd8d94d6554.pdf
    • http://pav.change-expert.ru/uploads/2020/01/28/7213415.pdf
    • https://memipogukumeg.weebly.com/uploads/1/3/0/2/130289332/810452.pdf
    • http://sezusufuv.dodora.ru/uploads/2020/01/28/5513857.pdf
    • http://amazingxstore.com/uploads/2020/01/27/b5da4196d05.pdf
    • http://cailynv.com/uploads/1/3/0/5/130551129/bogip_soburusi.pdf
    • https://zajamedimol.weebly.com/uploads/1/3/0/2/130289495/lijemag.pdf
    • http://rulaje.shlyahovsky.pw/uploads/2020/01/28/5551223.pdf
    • http://multistreams.com/uploads/1/3/0/3/130323937/130323937.html#parallels+desktop+12+activation+key

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015a5.bin
933a61e9736420fc7d0a5248b74b078c030be9bda7d2c6a790f5740fe7f5de03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15A5 8248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.