Malicious PDF — malware analysis report

Static analysis result for SHA-256 fb5f9ff30ab5b9b9…

MALICIOUS

PDF

55.9 KB Authoring application: PDF Studio
MD5: 81c20941c9527fc8a02b3c9ceb8b2590 SHA-1: af152c83ed73bea9e5ca0c7f401321fbbe5388b1 SHA-256: fb5f9ff30ab5b9b93c7fdf989ad497fee996713167ba4a5b5c6ae44d26e7eab5
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall. The primary heuristic indicates a large number of external PDF links, suggesting a link farm for SEO manipulation or to host further malicious content. The embedded URLs are likely part of this scheme, redirecting users to potentially harmful sites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nancytoofani.com/uploads/1/3/0/4/130435659/vibisaw-nosokejomowotum.pdf
    • http://nadiacorson.com/uploads/1/3/0/3/130312986/kekexilipitigonupedi.pdf
    • http://lakuv.do-long.com/uploads/2020/01/28/7cde93b4bcf.pdf
    • http://joescottportfolio.com/uploads/1/3/0/6/130620838/kopok_wevizesenewiruw_vetexesexamin_jogoragolave.pdf
    • http://audioallure.com/uploads/1/3/0/4/130483394/bowesafob.pdf
    • http://xuxefakom.vipiski-besplatno43.icu/uploads/2020/01/28/viburerati.pdf
    • http://wirol.vipiski-besplatno54.icu/uploads/2020/01/28/govafifixipiwib_gusizufumadimel.pdf
    • http://ke-heslop.org/uploads/1/3/0/3/130313193/50c63c1f.pdf
    • http://coratoloassociatesllc.com/uploads/1/3/0/5/130589133/755381.pdf
    • http://narrins.com/uploads/1/3/0/5/130545254/4840935.pdf
    • http://lindseyvlasman.com/uploads/1/3/0/3/130323146/dujimulizewiza-jozedefi.pdf
    • https://kijetozev.weebly.com/uploads/1/3/0/5/130588921/notiw.pdf
    • http://myuntoldpleasures.com/uploads/1/3/0/3/130379777/a9638bec05a51e.pdf
    • http://derun.lada-detail.net/uploads/2020/01/27/db843caf2f.pdf
    • http://sironatour.ru/uploads/2020/01/29/xipon.pdf
    • http://funetosiz.kvartiradomkzn.ru/uploads/2020/01/28/wokegopeka.pdf
    • https://rasavinev.weebly.com/uploads/1/3/0/4/130488417/fefimonoxo.pdf
    • https://fodufixetok.weebly.com/uploads/1/3/0/5/130590478/4307415.pdf
    • http://alanpliuart.com/uploads/1/3/0/6/130622022/mijijixojenumoxug.pdf
    • http://boominworld.com/uploads/1/3/0/5/130541597/mefudililovujuka.pdf
    • http://montanabridalshows.com/uploads/1/3/0/4/130483376/7852267.pdf
    • http://nolanspettingzoo.weebly.com/uploads/1/3/0/3/130324030/xivabewonimubitef.pdf
    • http://cmoseleymusic.com/uploads/1/3/0/5/130542912/184a6ffe261dee.pdf
    • http://bluecrabkeyflorida.com/uploads/1/3/0/2/130289428/d7ce34b3a5c4394.pdf
    • http://sendsomehappymail.com/uploads/1/3/0/6/130639140/130639140.html#chirugali+pata+song

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001888.bin
bb55b5a15e8be093378445e4294a34da30be40822df77ba83e3b11fc5b905f1e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1888 7584 bytes
font_01_sfnt_off00009fa1.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FA1 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.