Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d7db63ffbca7cbb…

MALICIOUS

PDF

266.9 KB Authoring application: Scribus
MD5: 298768410663f4aad0dd342f276eea34 SHA-1: 98bed46f05b3f980f6091c0f44a783ca02b14af9 SHA-256: 8d7db63ffbca7cbb2a97e4d745acb850d934d6496d3130090a9a60da640314a8
120 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File T1059.001 PowerShell

The document employs a browser extension installation lure, instructing the user to install a fake update to view content, which is a common tactic for malware delivery. The embedded URLs likely lead to further stages of the attack, such as downloading additional malicious payloads. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly indicates a phishing and potential installation attempt.

Heuristics 6

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ssunitedstatesreef.com/uploads/1/3/0/3/130379110/818751.pdf
    • http://createpowtoon.com/uploads/1/3/0/5/130541837/1871678.pdf
    • http://paradigmcreativeworks.com/uploads/1/3/0/5/130588633/4848316.pdf
    • http://blackbox3dprinting.com/uploads/1/3/0/5/130540525/7225a0.pdf
    • http://mrsbrennersbiology.com/uploads/1/3/0/2/130272890/7493259.pdf
    • http://labviewstudent.net/uploads/1/3/0/4/130483869/14f0df401a5.pdf
    • http://katiegracecollins.com/uploads/1/3/0/6/130604465/tunuda.pdf
    • http://nafovip.mylatestfavoritething.com/uploads/2020/01/28/pebasemexavi.pdf
    • http://scwaterfrontworks.com/uploads/1/3/0/7/130776889/2285137.pdf
    • http://pamavi.nttrus.com/uploads/2020/01/28/70c2382a099bc3.pdf
    • http://a1412531xstreamtravel.xsideas.com/uploads/1/3/0/3/130379231/130379231.html#logistics+coordinator+job+resume

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000015c0.bin
f1162dd79323f023d24d904819221688738ef27c9a564b3e97de6c0f34bae43b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15C0 9512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.