Malicious PDF — malware analysis report

Static analysis result for SHA-256 3bf529ddad4ae4ab…

MALICIOUS

PDF

252.8 KB Authoring application: Scribus
MD5: 6d5a1c27a371a33430dc06e46b0a4cc0 SHA-1: b43b9761ad510ce6212c8ea3a0b14ddde64c69df SHA-256: 3bf529ddad4ae4abadb1c519ef3cf5a2bdd013bd82776431b4a419eecae9d985
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The ClamAV heuristic indicates this PDF is likely a phishing lure. The embedded URLs suggest an attempt to redirect the user to download further malicious content, likely another PDF or executable. The document body is heavily obfuscated and does not provide clear textual clues, but the presence of multiple external links points to a delivery mechanism for a second-stage payload.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://moshathestylist.com/uploads/1/3/0/5/130588870/gomubilozifivid.pdf
    • http://zadaz.shoppohudenie.ru/uploads/2020/01/28/goxubapurew_nomusi.pdf
    • http://trouthide.com/uploads/1/3/0/5/130590678/16004.pdf
    • http://permmenx.xyz/uploads/2020/01/28/5fcf22bb631.pdf
    • http://crownkeynsham.weebly.com/uploads/1/3/0/6/130622049/8179447.pdf
    • http://yorubaclubofbelgium.com/uploads/1/3/0/5/130545021/4a5792.pdf
    • http://americanhazelnut.co/uploads/1/3/0/2/130272389/fizunolidibakekete.pdf
    • http://mikaren.com/uploads/1/3/0/6/130604795/ripulupejejemokopo.pdf
    • http://xamej.parkingcentermadrid.com/uploads/2020/01/28/5590252.pdf
    • http://msnenglish.net/uploads/1/3/0/4/130483811/4664933.pdf
    • http://nwlearningandgrowth.com/uploads/1/3/0/6/130620868/05d3cd3d3a6e70.pdf
    • https://viridonowokuxak.weebly.com/uploads/1/3/0/5/130550721/tonojila.pdf
    • http://cityonloc.com/uploads/1/3/0/6/130620399/130620399.html#%E8%87%A8%E5%BA%8A%E8%A8%BA%E6%96%B7%E8%88%87%E6%AA%A2%E9%A9%97%E6%AD%A3%E5%B8%B8%E5%80%BC%E6%89%8B%E5%86%8A%28pocket+guide+to+diagnostic+tests+6%2Fe%29

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_006_off00010ce1.bin
a6310c7ebd877dbe1cbc4625489e4edba43bcf55329e5a96204d10d70dba2161		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x10CE1 244704 bytes
font_00_sfnt_off0000166e.bin
a45e93978066cff60daef323e3d610f1d3be9c0987d8e1218e648d3b0d5dda2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x166E 9164 bytes
font_01_sfnt_off0000d566.bin
d61165d971979e8a299ec4c521a4f26e7e000bcfc4891be5aa5efb8b13656734		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD566 16588 bytes
font_02_sfnt_off0000ebe7.bin
4f3f55de675a95109c6060fb8d8cfa2d098f9c087e7264885a269cacde826c85		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBE7 3424 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.