Malicious PDF — malware analysis report

Static analysis result for SHA-256 1afe4742c01d7e94…

MALICIOUS

PDF

40.0 KB Authoring application: PDFedit
MD5: 4f823d52d2b3e47a4ae7b9feb1641458 SHA-1: 0e1fdaf7d257faeefd863872c745801f80700803 SHA-256: 1afe4742c01d7e94afe824bcf03d771eb1c2d910afc605b1fb5e14e21b0fdb7c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document identified by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. It contains multiple embedded URLs that likely lead to further malicious content or phishing pages. The document body, though heavily obfuscated, contains references to these URLs and appears to be a lure, possibly disguised as a manual, to trick users into downloading or interacting with malicious content.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nefariwud.baikaltouristic.com/uploads/2020/01/28/da8507216cb6e70.pdf
    • http://flipcirco.com/uploads/1/3/0/6/130639924/9214113.pdf
    • http://spiritcircuits.net/uploads/1/3/0/6/130639362/9910268.pdf
    • http://somersetfoodtrail.org/uploads/1/3/0/8/130814168/130814168.html#alcatel+lucent+ip+touch+4068+manual+espa%C3%B1ol

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011e8.bin
c24863c889f6bdb7278009c7b1f0beab6436fc4e73210fd88fc7b60a8d28454e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E8 10448 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.