Malicious PDF — malware analysis report

Static analysis result for SHA-256 aba46fb2e78a12ac…

MALICIOUS

PDF

39.3 KB Authoring application: SWFTools
MD5: 8053bb18c66125f6d708c2a4b589ad0b SHA-1: ab090bcc1c6fe994429d9fcb265a15787f712de4 SHA-256: aba46fb2e78a12ac01dbe74e339aeb972f29947e3922383d9e33517dd302a5cb
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected as malicious by ClamAV with the signature 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. Static analysis revealed a large number of embedded external links, a common technique for SEO poisoning and phishing lures. The primary host for these links is 'pogopossum.net', which is also listed as the first URL in the document body. No scripts were extracted from this sample, limiting the analysis of its direct execution behavior.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pogopossum.net/uploads/1/3/0/5/130539825/tarun.pdf
    • https://bajesekas.weebly.com/uploads/1/3/0/4/130483863/liwuzomax.pdf
    • http://zapojoku.sellercentral-amazon-avs.com/uploads/2020/01/28/5761598.pdf
    • http://vodab.plrsecretsclub.com/uploads/2020/01/28/8101839.pdf
    • https://kitasomoma.weebly.com/uploads/1/3/0/5/130541552/55e7bd36a.pdf
    • http://butterflykissescrafts.com/uploads/1/3/0/2/130289359/tadikopodaraf-patopeberat.pdf
    • http://morris-auto.com/uploads/1/3/0/3/130313577/kalot-kajabakutodugir.pdf
    • http://yungpop.com/uploads/1/3/0/3/130313410/jedela_nikebe.pdf
    • http://researchsurf.org/uploads/1/3/0/5/130539676/130539676.html#lucedale+ms+stockyard+market+report

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001251.bin
b2c102042af950c210a63dcb6226f4137dd59825ee3048df33f99001b53eaca2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1251 9100 bytes
font_01_sfnt_off000055a0.bin
eed8e1c224acf41171ac3784f4f1364ca82e214efab6eb4e286f8d99b4d700c2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x55A0 16608 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.