PDF malware analysis — malicious · e0a683211b7a3453

MALICIOUS

PDF

154.2 KB Authoring application: Soda PDF

MD5: 833851a9f92b6247a4c6c6530559b478 SHA-1: 00faa49bb3ee0278e7422f4577a3c1feb00f0896 SHA-256: e0a683211b7a3453393025115e4bb9bd8c60c0a05993b19a5292b6237b6d6599

142 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as a PDF document exhibiting characteristics of an advance-fee scam, specifically mentioning lottery or parcel delivery lures. The presence of embedded URLs suggests a redirection to further malicious content or phishing pages. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' further supports the phishing and potential payload delivery intent.

Heuristics 5

ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE

Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://70008922.nhd.weebly.com/uploads/1/3/0/2/130289723/2597507.pdf
- https://vigapatak.weebly.com/uploads/1/3/0/4/130436313/972385.pdf
- http://shopjollygoods.com/uploads/1/3/0/3/130312961/6a632e1e3.pdf
- http://solomanproject.com/uploads/1/3/0/6/130620382/tufazuxamomaxa.pdf
- http://talipi.supersfereon.fun/uploads/2020/01/29/seduvunu-zinivureludoxo.pdf
- http://wearmonster.com/uploads/1/3/0/5/130590410/8aa7bf3910cf17.pdf
- http://mysouthshorecharteracademy.com/uploads/1/3/0/3/130379777/bd783.pdf
- http://contractorwholesale.com/uploads/1/3/0/4/130483649/suzomudiz-zadimutukutixu.pdf
- http://dad.tht-premiere.online/uploads/2020/01/28/6431017.pdf
- http://nkbadvisors.com/uploads/1/3/0/6/130604766/nirikasuzuzuguw-loviwirabeputaz.pdf
- http://vanmarkitonmusic.com/uploads/1/3/0/7/130775539/tiwumo.pdf
- http://holdenshouseco.com/uploads/1/3/0/6/130621484/mekesabifa-lofifesanuj-zovut.pdf
- http://multistreams.com/uploads/1/3/0/4/130491075/130491075.html#whatsapp+calling+application

Extracted artifacts 7

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off0001151c.bin` `6a7122089c965b5d62955752fc527cfb3af2b578f66cc3cc50739b68d83a4acc`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x1151C	19748 bytes
`font_00_sfnt_off00001723.bin` `253ff5fe6d1a0f46251d9d95abb8ba938a32610e2f508a847e86604683b5adc6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1723	16380 bytes
`font_02_sfnt_off0001cb92.bin` `03742b3af56d0894ab5df65dc3134d6d1f1537ecfbbc759efc3d5c9763d8381a`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1CB92	6908 bytes
`font_03_sfnt_off0001e152.bin` `bbd465158f88620f6b89bbc14fd4053a393fda34b464cf5d9625b9580ee6f51f`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1E152	10240 bytes
`font_04_sfnt_off0001f71d.bin` `868a07a666c5032a714f2e4aaba4b67d05df30d312a0dd626753a432c02aa9de`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1F71D	8480 bytes
`font_05_sfnt_off00020d6b.bin` `99c5193cfd8c036c1ae011c773f5a8e9b9247b36e3e6dc2fbfbefde82fa9f0cc`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x20D6B	8400 bytes
`font_06_sfnt_off000223ec.bin` `4c93801c4768b9cf34ec960e4f85d683fdbe353adcc5a9e70f9f8b41c5e92470`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x223EC	3508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.