Malicious PDF — malware analysis report

Static analysis result for SHA-256 9700882389ce142a…

MALICIOUS

PDF

151.9 KB Authoring application: Adobe PDF Library 9.0
MD5: 41f3c392625bf285df0f6177fc6de58c SHA-1: 7a253eeb8224a12abfa2fd76337cb36747d352a6 SHA-256: 9700882389ce142a26ca481d766a21e23020456d386814f2024d28fddd8e1513
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document that contains multiple embedded URLs pointing to other PDF files. The ClamAV heuristic 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or malicious redirection campaign. The embedded URLs are likely part of a lure to download further malicious content, possibly for credential harvesting or malware delivery.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sepiat.one/uploads/1/3/0/5/130550983/mavigenemunekir.pdf
    • http://jmalawntech.com/uploads/1/3/0/6/130621732/8790961.pdf
    • http://shoes.boutique/uploads/1/3/0/5/130538937/08db1553a7.pdf
    • http://kisagazu.concepttimecafe.com/uploads/2020/01/29/813ac0f43e.pdf
    • http://dofu.relampagomagalu.com/uploads/2020/01/29/3235662.pdf
    • http://art4peace.net/uploads/1/3/0/4/130476006/3511568.pdf
    • http://mtdorabuzz.com/uploads/1/3/0/6/130621826/xivuvuxeve-xozet-fesozita.pdf
    • http://alxconstruction.net/uploads/1/3/0/3/130323461/3a6b0a95.pdf
    • http://lukomanof.sudoxod.com/uploads/2020/01/29/pebob.pdf
    • http://swimprofessionals.co.nz/uploads/1/3/0/4/130488073/9959191.pdf
    • http://arcadiagardensllclandscapinganddesign.com/uploads/1/3/0/2/130289532/130289532.html#abbasid+empire+leaders

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_003_off0000aa7d.bin
755cf8f3a7ecc8d8e39d768c62af916cd0a4fc6441c4afbb0f60cf71261c038a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xAA7D 23488 bytes
font_00_sfnt_off00001481.bin
7eeb97db36b28bc5aea90cb8568adb95c16da8f677fe7a756c9336c18cd1d3ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1481 11692 bytes
font_02_sfnt_off00017656.bin
d5b458599086c1568a320cee4d90f549485c12fc7fa91cc61953707f098429e4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17656 5068 bytes
font_03_sfnt_off00018631.bin
74529300f455f2caaf87d467ea420db71ab23eebfa0f9cdb7c8c6df1db98e794		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18631 2720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.