Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab9084fce5705c1e…

MALICIOUS

PDF

29.6 KB Authoring application: Adobe PDF Library 9.0
MD5: 8f54c52a7aaf9deb3831f0c7cd5a6089 SHA-1: 048aab50a152a3eeee4b03af0463eb6cfeebc9f3 SHA-256: ab9084fce5705c1efef62c85292374e0558f210408e44f7e067919350de463b2
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. This technique is often used for SEO manipulation or to distribute malicious payloads. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports a malicious intent, likely related to phishing or traffic redirection. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery mechanisms.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.laurielovesoap.com/uploads/1/3/0/7/130776219/kokelewaturado.pdf
    • http://www.southamptonteachers.com/uploads/1/3/0/2/130287886/ba2964de9a.pdf
    • http://theothercarshow.com/uploads/1/3/0/7/130776049/jozebapotewen.pdf
    • http://www.brushworkbyarlenebuster.com/uploads/1/3/0/4/130476970/gurapipa.pdf
    • http://weberhomeinspection.com/uploads/1/3/0/5/130542822/4413553.pdf
    • http://nicksandmay.com/uploads/1/3/0/7/130776073/3f6f79e6fb49.pdf
    • http://3riverpartners.com/uploads/1/3/0/4/130476205/144121.pdf
    • http://mckinneytechsolutions.net/uploads/1/3/0/6/130621437/8443180.pdf
    • http://friendsofsatyarhodesconway.com/uploads/1/3/0/7/130739678/bf38918e05395b.pdf
    • http://peoplehacking.net/uploads/1/3/0/2/130289565/vifakafara.pdf
    • http://consultingser.com/uploads/1/3/0/6/130639676/4364568.pdf
    • http://stedwardschoolchristmastreefundraiser.com/uploads/1/3/0/6/130640094/zozumuvimod-folixoxewevaw-bobabewan.pdf
    • http://monicafyfe.com/uploads/1/3/0/9/130969854/f715ed8e6cebb3.pdf
    • http://jaylance.net/uploads/1/3/0/4/130488779/7443339.pdf
    • http://coloradocriminallawattorneys.com/uploads/1/3/0/2/130272636/bomosobukidefa.pdf
    • http://moorerealtymanagement.com/uploads/1/3/0/6/130639491/ef89e96c7a57.pdf
    • http://crescentheightsmidatlantic.com/uploads/1/3/0/7/130776358/pazegof.pdf
    • http://manhadunyulechengaomenduchang.br3h.com/uploads/1/3/0/5/130588405/6604736.pdf
    • http://smpcreditrepair.org/uploads/1/3/0/6/130639269/dekimijobetiwe.pdf
    • http://wcd-bbe54d23.mgh-r.ch/uploads/1/3/0/5/130551000/130551000.html#mpdf+6.1+php+version

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001876.bin
7343b5c17afec7ee1db6513bb7a2fee782d491ef7df3334e36e20d82cc92888e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1876 6392 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.