Malicious PDF — malware analysis report

Static analysis result for SHA-256 a9a0f777224c70ad…

MALICIOUS

PDF

38.5 KB Authoring application: GIMP
MD5: 52bc62a4cef16c4d7c0e54c03564c870 SHA-1: 51b737bb6f82efafdb1612704e1c5e93291593ff SHA-256: a9a0f777224c70adaca781cfe492754615884265bb9148a7e0014e450f27287f
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is a PDF document that contains multiple embedded URLs pointing to other PDF files. The ClamAV heuristic indicates this is a phishing attempt, likely to trick users into downloading further malicious content. The document body itself is heavily obfuscated but contains references to the embedded URLs, reinforcing the lure.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://anotherchancrecovery.com/uploads/1/3/0/6/130604177/zidud-kurukimukov-dimas.pdf
    • http://networkhearing.net/uploads/1/3/0/6/130621634/7ebf706a8448152.pdf
    • http://mybabyfreebies.com/uploads/1/3/0/5/130588964/jixaletituw-jumapidofap-lalaku.pdf
    • http://mollymauied2013.com/uploads/1/3/0/3/130323341/wijuzolojijidam.pdf
    • http://thehappygirlstore.com/uploads/1/3/0/6/130639824/130639824.html#coreg+davis+plus

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000104b.bin
28ee2fa1735a8cb0414f415dae8211e9ef93df661c1ee0d86191d5badfae88fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x104B 8312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.