PDF malware analysis — malicious · 212bcc7b11f9ef31

MALICIOUS

PDF

216.7 KB Authoring application: Pdftk

MD5: c2cacbcce18b480a5ad4fba4ac21216e SHA-1: b9b8fc685a700116c67cace3c834e56276ff6239 SHA-256: 212bcc7b11f9ef31f94a6330300a83161636cc17b9dba946928ce315fad38ef5

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as a PDF containing lures for advance-fee scams, specifically mentioning lottery winnings or parcel deliveries. It also exhibits characteristics of callback phishing, prompting users to call a number for support or to resolve issues. The presence of numerous external URLs suggests a delivery mechanism for further malicious content or phishing pages. No scripts were extracted, limiting the analysis of direct execution behavior.

Heuristics 5

ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Callback phishing phone lure medium SE_CALLBACK_LURE

Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://stillaraider99.com/uploads/1/3/0/5/130551423/pomag.pdf
- http://takeatriprentals.com/uploads/1/3/0/7/130740563/f4754.pdf
- http://androidisfor.me/uploads/1/3/0/4/130435581/zofogowexadulopunu.pdf
- http://nebraskasolarschools.net/uploads/1/3/0/5/130551656/97fa37b6648c931.pdf
- http://seniors1stfinancial.com/uploads/1/3/0/7/130740590/xolun.pdf
- http://www.cloud.sentinel-air.com/uploads/1/3/0/7/130739656/foxamipobeja-tivenibidovajin.pdf
- http://entrepreneurialinnovations.com/uploads/1/3/0/8/130873941/fugeburexoge-nadezilozipak-rakemefozeru-gedive.pdf
- http://angelcleaningservice.net/uploads/1/3/0/2/130289237/fikapamejure.pdf
- http://beachhousedestin.net/uploads/1/3/0/8/130813609/1054618.pdf
- http://myafricanloveseries.com/uploads/1/3/0/3/130323675/befapifofop.pdf
- http://democracy.nyc/uploads/1/3/0/8/130874468/busuw.pdf
- http://worldclub888.net/uploads/1/3/0/5/130588393/8342535.pdf
- http://www.wecandefytheodds.com/uploads/1/3/0/4/130483650/juguwu_zasuju_rezetemoxulu.pdf
- http://samanthaandem.com/uploads/1/3/0/7/130739247/9764213.pdf
- http://collegeauditionsupport.com/uploads/1/3/0/7/130739164/vegonup.pdf
- http://justicecollaborativeatcornell.com/uploads/1/3/0/5/130589219/sivafe.pdf
- http://niffianva.com/uploads/1/3/0/7/130739387/mixujor.pdf
- http://mail.hemingwaycottage.com/uploads/1/3/0/4/130483869/4177481.pdf
- http://reneteassuredtitleagency.us/uploads/1/3/0/4/130477252/312ba410cc31.pdf
- http://medezen.net/uploads/1/3/0/2/130289369/8987158.pdf
- http://053748270.com/uploads/1/3/0/4/130435500/ad202047e5f507.pdf
- http://www.oaklandpoolcare.com/uploads/1/3/0/6/130639868/9beebd.pdf
- http://adsl-63-204-18-60.benefitplans.org/uploads/1/3/0/7/130776571/130776571.html#hsn+code+8483+gst+rate

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005b12.bin` `0f0ece3b58a4919114ef55d1c8737c7bcff314bb2c42da2573515420364d1124`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5B12	9052 bytes
`font_01_sfnt_off000191fe.bin` `41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x191FE	2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.