Malicious PDF — malware analysis report

Static analysis result for SHA-256 7c1f4774517496b5…

MALICIOUS

PDF

42.6 KB Authoring application: ImageMagick
MD5: 3e040c08df7a0f39d5379a13b0c3fa9a SHA-1: 67c35bf4f3c2e03635f4e4c8ab17908937068169 SHA-256: 7c1f4774517496b50c5ac8c85b68a641fa3c3a9727412bf0cd70cbd07309080c
110 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is detected as a phishing PDF by ClamAV. The document body contains multiple URLs that likely lead to malicious content, and heuristics indicate a remote support tool lure. The presence of these elements suggests the document is designed to trick the user into downloading and executing a secondary payload, potentially for remote access or further compromise.

Heuristics 5

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://carolinelizabethsavage.com/uploads/1/3/0/5/130588159/697709.pdf
    • http://taxopunu.posital-encoder.ru/uploads/2020/01/28/8eda15e92.pdf
    • http://picton.school.nz/uploads/1/3/0/6/130620543/0ccccf3dbbd9.pdf
    • http://northwalestimberframes.com/uploads/1/3/0/2/130271113/wejeboveb.pdf
    • http://mysoundcollective.com/uploads/1/3/0/6/130639852/130639852.html#wondershare+filmora+free++for+windows

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010e5.bin
7ecf6e80122e68fc5088c9ef563823f6e855564e72e880df0309e7786477d2e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10E5 9516 bytes
font_01_sfnt_off00005d86.bin
6fb799e16d6c53e03f800203b996b76274614d55765c2735255f1fe9f3ad50fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D86 16868 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.