Malicious PDF — malware analysis report

Static analysis result for SHA-256 a656d6128ea76d6b…

MALICIOUS

PDF

41.7 KB Authoring application: Pdftk
MD5: 827ec970d3a5cc8801b07ec72fcb1b46 SHA-1: a701b627d323192ac480e50b45103d4604a1b8b2 SHA-256: a656d6128ea76d6b65222c7980f577ba2e5b62285eda367c01e83d118f239f84
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which point to suspicious domains and are likely part of a link farm designed to attract search engine traffic. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or traffic redirection campaign. The document body, while containing some obfuscated text, also explicitly lists several URLs, reinforcing the link farm and potential phishing attack vector. The primary intent appears to be redirecting users to malicious content hosted on these external domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tamita-tami.pro/uploads/2020/01/29/f3860a7226a1a.pdf
    • http://vifuvu.rostelekomlk.xyz/uploads/2020/01/28/2924115.pdf
    • http://tomid.angrybirds.tech/uploads/2020/01/27/kumatixumab.pdf
    • https://mikawotagagev.weebly.com/uploads/1/3/0/5/130589031/f2c34ade75f774.pdf
    • http://allaccessbuildingservices.com/uploads/1/3/0/6/130620931/df174158de97d0.pdf
    • http://ditelivu.audiostart29.icu/uploads/2020/01/28/tukuk-kilasodetudud-sadijobusak-finogegiwi.pdf
    • http://mipuduza.audiostart56.icu/uploads/2020/01/29/c1380d9fc2e.pdf
    • http://woodsp.ru/uploads/2020/01/29/6959511.pdf
    • http://dilev.ieltsjo.tech/uploads/2020/01/29/7687070.pdf
    • http://shopbelfast.info/uploads/1/3/0/6/130620801/130620801.html#new+nintendo+switch+lite

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011f7.bin
b01b8e8b52926590244aea58f36e983c2b8f411a9871cc8b7522163a00585fbb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F7 8756 bytes
font_01_sfnt_off00005c52.bin
45c39c4315a5d00962143d4102937301eb2649728d6de39b959633cfc30365c3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C52 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.