Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ab6df9c37c69a59…

MALICIOUS

PDF

26.7 KB Authoring application: Poppler-utils
MD5: 7fc96895fa9fb01420f6f0071c5fbc22 SHA-1: 91957bd5f1c38a12dbc6af83f6e751a4ec3a9060 SHA-256: 4ab6df9c37c69a59af70771a86a98c8eda0896c366724ba5822143d6511ed53c
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The ClamAV detection as Pdf.Phishing.TtraffRobotInstall-7605656-0 further supports a phishing or malicious redirection intent. The embedded URLs are likely used to direct users to malicious content or further stages of an attack. The document body text is largely unreadable due to truncation and encoding issues, but mentions 'Chapter 2 divide whole numbers answer key', suggesting a lure to educational content.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://keywestrealestateteam.com/uploads/1/3/0/3/130323616/melibu-tejetur-wazopijin.pdf
    • http://katerinariazanova.ru/uploads/2020/01/29/d3723.pdf
    • http://mafewuluxu.profial-ug.ru/uploads/2020/01/29/051fd326d9bec.pdf
    • https://nuxitatewoj.weebly.com/uploads/1/3/0/5/130539449/7966083.pdf
    • https://tuloxakinusen.weebly.com/uploads/1/3/0/4/130483412/fijuwuwomawawi_tugunusixowuxem.pdf
    • http://pemiletu.find-me-2019.com/uploads/2020/01/28/roxinapo.pdf
    • http://3kopeiki.ru/uploads/2020/01/28/6497210.pdf
    • http://fufisij.nwalk.ru/uploads/2020/01/28/bc8eba024.pdf
    • http://movingmindsdance.com/uploads/1/3/0/5/130551251/130551251.html#chapter+2+divide+whole+numbers+answer+key

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010f2.bin
5361e36484c1524e9978c0630c5516758cab56be77ce0ccddf7e745facf4f7dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10F2 6708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.