Malicious PDF — malware analysis report

Static analysis result for SHA-256 a130b33eb6bf2767…

MALICIOUS

PDF

41.8 KB Authoring application: SWFTools
MD5: 44f06bc7cc3c1773fad5c886540e99d6 SHA-1: 78f417f2587e1a76bda5450d3ca02115141e1c8a SHA-256: a130b33eb6bf2767238a3f7a782b135562ed7b9e5f0ab5bee96d7711ea3b0b83
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed a significant number of embedded external links, characteristic of a link farm used for phishing or malware distribution. The document body contains garbled text and references to 'Meganthi circus hd video songs free', suggesting a lure to entice users to click on the malicious links.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nstrajectory.org/uploads/1/3/0/3/130323227/2868093.pdf
    • http://aprollers.com/uploads/1/3/0/4/130494636/8403443.pdf
    • http://deventermanueletherapie.nl/uploads/1/3/0/4/130436180/wanifuwipesujamalul.pdf
    • http://jaxu.trilo.icu/uploads/2020/01/28/1515620.pdf
    • http://jip.jbi-promstroy.ru/uploads/2020/01/28/6955121.pdf
    • http://aquinasenglish.com/uploads/1/3/0/3/130379959/kiduzalegis.pdf
    • http://syncomict.com/uploads/1/3/0/6/130604348/d79a4c4d5.pdf
    • http://dadempire.com/uploads/1/3/0/5/130590117/765962.pdf
    • http://rehphotography.org/uploads/1/3/0/6/130604181/130604181.html#meganthi+circus+hd+video+songs+free

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001135.bin
5d08ee02dadc484884b8ee41a622ef6beec09e84ed427dafa000b03fcad6ae29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1135 7700 bytes
font_01_sfnt_off00005310.bin
f7560c217efc42e92986fc317b695ff45d5ffd84cff955a8bc7979e985b94f25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5310 1800 bytes
font_02_sfnt_off00005b6b.bin
ac49849b978058f48725d089179747450f7987fdfd4cddbc63fac11af8b99083		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B6B 16384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.