Malicious PDF — malware analysis report

Static analysis result for SHA-256 2990ae1b42e63358…

MALICIOUS

PDF

36.1 KB Authoring application: LibreOffice Draw
MD5: 3fd993e4d0514ffdc734c140b6241ea2 SHA-1: e9ae47cdf41c86ed8245808ec23d217f75376b3e SHA-256: 2990ae1b42e63358534104615f9a073354919f00673676ed438ed2dc5a671772
70 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment

The file is a PDF document identified by ClamAV as Pdf.Phishing.TtraffRobotInstall. The document body contains text related to fonts and agendas, and includes multiple URLs pointing to external PDF and HTML files. One of these URLs, http://beclaims.com/uploads/1/3/0/4/130476266/8c84f9084.pdf, is explicitly flagged as an external URI. The presence of a download button lure further supports the phishing pretext. The overall pattern suggests a phishing campaign attempting to trick users into downloading malicious content.

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beclaims.com/uploads/1/3/0/4/130476266/8c84f9084.pdf
    • http://mrsuttonhistory.com/uploads/1/3/0/4/130476183/lofeg.pdf
    • http://ninjamindfulness.com/uploads/1/3/0/6/130605077/ferofekokanabobe.pdf
    • http://lesetoiles-paris.com/uploads/1/3/0/5/130588546/857856.pdf
    • http://misbailes.com/uploads/1/3/0/5/130539718/130539718.html#agenda+bold+italic+font+free

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000fb9.bin
3b8049f3a12315b12a76375ee9e6ca72f3c3c9d123efa2867ade9154f83dd0b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFB9 8228 bytes
font_01_sfnt_off00004698.bin
d65752e558a9090157c9a1b02647c04d2680198cf9d52ff42939ef8ccbf7fabd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4698 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.