Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdafeb7986a6a7b7…

MALICIOUS

PDF

186.6 KB Authoring application: SWFTools
MD5: 911aed6746673f8ced386a6a5a4a2e52 SHA-1: 10d1a4be876cb04e58694493ce8ebb20a1cb0bc2 SHA-256: bdafeb7986a6a7b739db66bf3d3b1d53f0e1165c47f6b8fa5caca9844e887ba4
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document that contains multiple embedded URLs, one of which is flagged as an external URI. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing campaign. The embedded URLs likely lead to further malicious content or phishing pages. No scripts were extracted from this sample.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://haluktekin.com/uploads/1/3/0/6/130604766/volikimibaluxuz-ziwugojuziterol.pdf
    • http://itsybitsyinvestments.com/uploads/1/3/0/8/130874623/d823789.pdf
    • http://risacromer.com/uploads/1/3/0/6/130621351/b28d5d663c.pdf
    • http://aviplan.info/uploads/1/3/0/8/130813804/nubuvufo.pdf
    • http://noticias.aeromar.mx/uploads/1/3/0/2/130270985/36821280cd07b1.pdf
    • http://millionairemomasia.com/uploads/1/3/0/5/130539370/42813b6.pdf
    • http://sloaneswayze.com/uploads/1/3/0/2/130288348/9e6cbe3fdcc.pdf
    • http://conversationsonthegreen.org/uploads/1/3/0/7/130739318/322652.pdf
    • http://kelaesthetics.com/uploads/1/3/0/7/130775641/levevupo.pdf
    • http://filipinoamericanmarketing.com/uploads/1/3/0/5/130588984/bavanojisas.pdf
    • http://www.thecigarpeddler.net/uploads/1/3/0/6/130620297/mojijogo.pdf
    • http://rudynts.com/uploads/1/3/0/3/130323789/saduzopufowuw-nitolu-rirefotugasov-bufowudapewig.pdf
    • http://doortoinc.com/uploads/1/3/0/6/130620987/gujijosepi.pdf
    • http://www.travellingtreasureboxes.com/uploads/1/3/0/6/130603969/wolivo.pdf
    • http://warsawumc.net/uploads/1/3/0/8/130814057/lotolide_nodotogikil_zepumolesatukem_kexuvemoma.pdf
    • http://www.bodybyjules.com/uploads/1/3/0/3/130323182/razivezi_dalonenuwik_xemaroxezi.pdf
    • http://bearsversusbabiesgame.com/uploads/1/3/0/4/130483512/lazujezuke-wixufonitatujez.pdf
    • http://ilkerbasirli.de/uploads/1/3/0/3/130313000/namab_nosunekabiduwop.pdf
    • http://nootkasoundretreats.com/uploads/1/3/0/3/130312965/mitevot-nirezotex-nanadazorozivag.pdf
    • http://www.noelleharb.com/uploads/1/3/0/6/130620694/noderawurerumuv-zokasizig-boxapexoki.pdf
    • http://beshearsconsulting.com/uploads/1/3/0/2/130289495/zigebazow.pdf
    • http://srcdev.com/uploads/1/3/0/5/130588230/lelutunove.pdf
    • http://london-office-3.pleasingfood.com/uploads/1/3/0/3/130379167/130379167.html#adverbs+manner+and+modifiers+%D0%B3%D1%80%D0%B0%D0%BC%D0%BC%D0%B0%D1%82%D0%B8%D0%BA%D0%B0
    • http://warsawumc.net/uploads/1/3/0/8/130814057/lotolide_nodotogikil_zepumolesatukem_kexuvemom

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001df2.bin
b7b74573eaf93fb4d67d2964a7aed368dfb489b16fe5e7bcee93ab8246dd6ab1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1DF2 15412 bytes
font_01_sfnt_off0002186e.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2186E 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.