Malicious PDF — malware analysis report

Static analysis result for SHA-256 9686296b7da3a52e…

MALICIOUS

PDF

38.0 KB Authoring application: GIMP
MD5: 83808214911b614dd389615e27224648 SHA-1: 9859a7530d0a37d6cd6c49d82686c1c038939a28 SHA-256: 9686296b7da3a52e89039cab6edbcee505a464b6325d93eea89b341c8b03ac06
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is detected as Pdf.Phishing.TtraffRobotInstall-7605656-0 by ClamAV, indicating a phishing attempt. The document body, though heavily obfuscated, contains URLs that are likely part of the lure. The heuristic SE_QR_LURE suggests the document may also instruct users to scan a QR code, further supporting a phishing or social engineering attack pattern. The primary attack vector appears to be directing users to malicious external resources.

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://twooneninedesignsandart.com/uploads/1/3/0/6/130604888/koterobuduf_xenuge_wajolepo_losunus.pdf
    • http://myvisl.us/uploads/1/3/0/2/130272102/bizatez.pdf
    • http://wadsworthupward.com/uploads/1/3/0/6/130603852/db6a96.pdf
    • http://tovadokon.whoisthatvoice.com/uploads/2020/01/28/lafesonimi_kuxoda.pdf
    • http://decojewelry.net/uploads/1/3/0/6/130605358/vugolilaxodex_valilanewemevez.pdf
    • http://beingself-centered.com/uploads/1/3/0/2/130289225/130289225.html#anti+malware+for+android

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010af.bin
2c430170b512486531fb5430493e8bf6c3f662af59eae94b095110fe152e7134		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AF 8644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.