Malicious PDF — malware analysis report

Static analysis result for SHA-256 2598801075ee94a6…

MALICIOUS

PDF

54.3 KB Authoring application: GIMP
MD5: e3e78d3a8399de49b870b7bbfecbfa5c SHA-1: 879633def550c29fe66075066ee90be17d421dd4 SHA-256: 2598801075ee94a691292c5d8e75516dacddd5a894a63c5c23b8c935e39a59c8
222 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

This PDF document employs a social engineering tactic, instructing the user to press Win+R or paste a command, likely to bypass macro restrictions and execute a payload. It contains numerous invisible and repeated links, with one specifically pointing to 'cecilyeiferle.com' and mentioning 'failed to load steam.dll', suggesting a lure to download a malicious file disguised as a legitimate update. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports its malicious nature.

Heuristics 5

  • Invisible/repeated PDF links deliver payload file critical PDF_REPEATED_PAYLOAD_LINK_LURE
    PDF uses invisible link annotations and points to a direct payload download. Repeated invisible links or lure-like payload names such as document/unlock/verify archives match malware-delivery PDF carriers where the page is only a prompt and the real payload is fetched from the linked URL.
  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newkirkpsalmshymns.weebly.com/uploads/1/3/0/6/130621651/zenebofevakim.pdf
    • http://my-english-lesson.us/uploads/1/3/0/5/130551309/8e34a.pdf
    • http://tatepazu.funblog.online/uploads/2020/01/29/ratow.pdf
    • http://pantherfightteam.com/uploads/1/3/0/3/130323559/8bae84a9a9e9.pdf
    • http://ashleighcrystal.com/uploads/1/3/0/5/130539329/4533139.pdf
    • http://mvmaxclinicadeginastica.com/uploads/1/3/0/5/130540286/8308585.pdf
    • http://nilakim.com/uploads/1/3/0/6/130639962/laxafidamodoze.pdf
    • http://assentive.net/uploads/1/3/0/6/130640219/1622582.pdf
    • http://richardmedina.net/uploads/1/3/0/2/130288924/1956251.pdf
    • http://nwasuzukistrings.com/uploads/1/3/0/6/130620469/duraxeju_pebevakuse_tixed_sutij.pdf
    • http://cecilyeiferle.com/uploads/1/3/0/6/130605080/130605080.html#failed+to+load+steam.dll

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000121e.bin
7d3e1257a6a22e61574520dd5966f86ab395c3393fb16e7650f11d3d4bed225d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121E 8280 bytes
font_01_sfnt_off000071f2.bin
840b5742608418e5b191ee28925fb5aebf05854a325a1508418110f4987065b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71F2 8492 bytes
font_02_sfnt_off00008ca9.bin
279e6575d09d203a5a6f24ffad31b68277bec504ec7c22be950ffe24b8ee1d5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8CA9 16488 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.