Malicious PDF — malware analysis report

Static analysis result for SHA-256 b7e1b56478d3d382…

MALICIOUS

PDF

38.6 KB Authoring application: GIMP
MD5: 3db0baa30fd3f77d648b368ba7eb159c SHA-1: 4b2654d091e9add6db3da0f3de1b62ca7c344669 SHA-256: b7e1b56478d3d3829829f57214e34cb28db1d33e80a97b2c7ba4d7c36941df05
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The ClamAV heuristic indicates this PDF is a phishing lure. The embedded URLs and document body text, though partially corrupted, point to external resources that likely host further malicious content. The primary attack vector appears to be tricking the user into clicking a link that leads to a malicious PDF download.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://quintepaddlingclub.com/uploads/1/3/0/5/130545189/7008695.pdf
    • http://knb-fun.fun/uploads/2020/01/28/9515033.pdf
    • http://montessorimentor.org/uploads/1/3/0/4/130488812/8476784.pdf
    • http://abundantpeacechildbirth.com/uploads/1/3/0/7/130740151/130740151.html#ahirete+iman+etmek+insan%C4%B1n+hayat%C4%B1n%C4%B1

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011bd.bin
e0d763b9be05130d20bc2d9cf00650cdb7f5080dd30c7d30bc70945acae6e13c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11BD 9992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.