Malicious PDF — malware analysis report

Static analysis result for SHA-256 51ef0f4f3d52616f…

MALICIOUS

PDF

41.1 KB Authoring application: pdf-parser
MD5: 2be25d1120dc102fc3da44e504ab305f SHA-1: 35053c1efbbb37149bfea4d9b73f9b9ab720942a SHA-256: 51ef0f4f3d52616f9e3b716f963049098e547f5a6dd7c473d736473e42a495cf
104 Risk Score

Malware Insights

MITRE ATT&CK
T1204 Malicious Link T1204.001 Malicious Link: Malicious Link

The PDF contains a heuristic firing for a browser extension installation lure, indicating a social engineering attempt to trick the user into downloading further malicious content. The embedded URL points to a PDF file, likely intended to be the payload. ClamAV detection further supports the malicious nature of the file.

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://migeorgeson.com/uploads/1/3/0/6/130621554/kumur-tamaziti-vovadedowe.pdf
    • http://avishafilm.weebly.com/uploads/1/3/0/2/130287835/2180250.pdf
    • http://rosshousemuseum.ca/uploads/1/3/0/6/130621072/ca9b8a47ad0c.pdf
    • http://thesingbabysingshow.com/uploads/1/3/0/4/130478648/130478648.html#swagger+offline+editor

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off00005702.bin
d0596d1689277ffb497c57ed1d5a905f2fdc21fc47639c6522c1feded461604a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x5702 16912 bytes
font_00_sfnt_off00000fc5.bin
e4e3c929e2f2e50e6d8d5a095278e1b362739836222730085188912013fcc1bc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC5 8440 bytes
font_01_sfnt_off00004e95.bin
1bde79eb7722a28deef970374de2cca0b523eb01a8d7032b8f8741bd6ccf999c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4E95 1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.