Malicious PDF — malware analysis report

Static analysis result for SHA-256 360975b2ab263815…

MALICIOUS

PDF

34.4 KB Authoring application: Pdftk
MD5: 2530d18b476b15167e2c0489493aa984 SHA-1: 6985372f237595ae0f91bad4f6a22118df14401b SHA-256: 360975b2ab26381548d747c89c15854e52e6f4d6edad7ec0eebcd31db55edb26
80 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is detected as Pdf.Phishing.TtraffRobotInstall-7605656-0 by ClamAV, indicating a phishing attempt. The document body contains language related to tenancy agreements and includes phrases like 'Click here to download', suggesting a lure to download further malicious content. Multiple external URLs are embedded, pointing to potential download locations for the next stage of the attack.

Heuristics 5

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nyvoicedialogue.com/uploads/1/3/0/6/130621490/guxixodexipisitunoz.pdf
    • http://mollybernard.com/uploads/1/3/0/6/130605283/zazalidemujuvu.pdf
    • http://zel.qw251789.ru/uploads/2020/01/28/95308.pdf
    • http://tanglewood-ranch.com/uploads/1/3/0/4/130483863/7bc37beed.pdf
    • http://nicolitulk.com.au/uploads/1/3/0/4/130435966/130435966.html#shorthold+tenancy+agreement+free+download

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001016.bin
d1e0a5a060daf6fa504463601919caf564e0502367716b18437b4e23bd97f3c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1016 7904 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.