Malicious PDF — malware analysis report

Static analysis result for SHA-256 9ed23c2d5784ccec…

MALICIOUS

PDF

314.4 KB Authoring application: pstoedit
MD5: 64aac7897cd89f79428e79ec827493cf SHA-1: 4cd5cfea8b602e660ba22b32a6e6a817fa3b1de4 SHA-256: 9ed23c2d5784ccec6972f3eb4bfc300a010cd4e50fa0ae774fd50bc473dfce77
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file was detected by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0, indicating a phishing attempt. The document body contains numerous embedded URLs, all pointing to PDF files on various domains. These URLs are likely used to deliver the actual phishing content or further malicious payloads. The presence of these links strongly suggests a social engineering attack aimed at tricking users into downloading and opening malicious documents.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://zilisrep.com/uploads/1/3/0/4/130489159/fawesudisalikuwog.pdf
    • http://www.shopdiveinmagazine.com/uploads/1/3/0/6/130603673/b9f6753063665.pdf
    • http://anniesditta.com/uploads/1/3/0/4/130490681/dexowolo.pdf
    • http://senseoflife-fr.com/uploads/1/3/0/4/130475973/71a4a3842608e.pdf
    • http://gorteendogservices.com/uploads/1/3/0/2/130288830/fadozuris.pdf
    • http://yorktownplumbing.com/uploads/1/3/0/8/130814346/8427659.pdf
    • http://bettereditor.net/uploads/1/3/0/6/130605084/5149a1d7840.pdf
    • http://alyssaperryinteriors.com/uploads/1/3/0/3/130323979/fejuzuler_tefewaka_dalenifubedu_mokaworukogefi.pdf
    • http://surreypaintpros.com/uploads/1/3/0/2/130271097/8686959.pdf
    • http://sptbgautorepairpros.com/uploads/1/3/0/7/130775927/5795135.pdf
    • http://nu1912.org/uploads/1/3/0/3/130323110/gijovetubif-rozuter-radewa-wexumix.pdf
    • http://vcbreakfast.com/uploads/1/3/0/5/130589415/8950364.pdf
    • http://guyrayf.org/uploads/1/3/0/6/130639546/90570.pdf
    • http://mortgagegrantguy.com/uploads/1/3/0/9/130969077/zijamavidopo-zavefutugilidi-jolibuze.pdf
    • http://paradoxrestaurant.com/uploads/1/3/0/2/130288421/c472307313.pdf
    • http://bhmanz.com/uploads/1/3/0/3/130313289/ef5380.pdf
    • http://www.sterlingplanning.net/uploads/1/3/0/6/130639537/a75393713c.pdf
    • http://www.vickyanglin.com/uploads/1/3/0/7/130775080/130775080.html#aircraft+3+letter+code

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000154c.bin
5880a661675b2fa5704181db26d0e2ea268f7f56f7787fcef5dde4792fe57394		 pdf-font-stream PDF embedded font (sfnt) at offset 0x154C 11988 bytes
font_01_sfnt_off0001ca5f.bin
7452b6b49b2d67df973eecb7580c7a2fe344bf55d7b957b3ade50b6969c50269		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CA5F 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.