Malicious PDF — malware analysis report

Static analysis result for SHA-256 50c7b5f13d9c49b8…

MALICIOUS

PDF

35.1 KB Authoring application: Serif PagePlus
MD5: 445cbf06883b10669ffb36adfd796b32 SHA-1: 9e6978e9f33f16f7b107f26bb7c2bc7069fccd0a SHA-256: 50c7b5f13d9c49b820ee973455a60ce89f64dac6d57214a38d38289be6880671
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document that contains embedded URIs pointing to external PDF files. The ClamAV heuristic 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or malicious content delivery intent. The embedded URLs are likely part of a campaign to distribute further malicious content or lead users to phishing sites.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://monarchlax.com/uploads/1/3/0/6/130639343/37d4a88c4d521f.pdf
    • http://blackouttrading.com/uploads/1/3/0/6/130622049/5521023.pdf
    • http://miraclesinmyanmar.org/uploads/1/3/0/5/130551534/rilod-zarudifuxi-notovarup.pdf
    • http://ohioawnings.com/uploads/1/3/0/6/130604775/6229721.pdf
    • http://2020blue.org/uploads/1/3/0/5/130538891/130538891.html#hikvision+ip+camera+4mp+bullet

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000105f.bin
f18f8db530e5785a287c60fe882131be4a486dd7359e7bfecf8395f4b866d6c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x105F 9208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.