Malicious PDF — malware analysis report

Static analysis result for SHA-256 804300fdba68f7aa…

MALICIOUS

PDF

30.4 KB Authoring application: Karbon
MD5: 85d4d078506b534b80ac6c8817e50336 SHA-1: f7be754649e0fdff09faeeca2dc6950fbbf8b8c0 SHA-256: 804300fdba68f7aa630824ed4fde5a9744d0444adfbc402df92173fb3fdcae9d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document that contains multiple embedded URLs pointing to other PDF files. The ClamAV heuristic 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or malicious redirection attempt. The document body, though partially corrupted, mentions 'Jde accounts payable process flow', likely a lure to entice users to click on the embedded links.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stephengilardi.com/uploads/1/3/0/3/130323968/fowoluforiz.pdf
    • http://slonetelecom.com/uploads/1/3/0/2/130289196/zevuxisetama.pdf
    • http://quantumsatprep.com/uploads/1/3/0/2/130272587/c87e0d58202231b.pdf
    • http://nuobeijing.devsite-1.com/uploads/1/3/0/6/130604627/130604627.html#jde+accounts+payable+process+flow

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f38.bin
1c9feddb2ad3977483566e3d3935d5cc4ed0857935189325626c3152c123daf0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF38 7304 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.