Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea927587c59b4b2a…

MALICIOUS

PDF

40.2 KB Authoring application: ImageMagick
MD5: 46d1ad4b1c91e7f68f6af3d4a3ca3467 SHA-1: be5250f1f369307a94a29c309d1c9edd4066be6e SHA-256: ea927587c59b4b2a4139a728485b6043ef51c5f165b3220969d3466707b79241
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF containing multiple embedded URLs that point to other PDF files and an HTML page. The ClamAV heuristic 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or malware distribution intent. The presence of external URIs indicates an attempt to redirect the user to malicious content hosted elsewhere. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mistykwilliams.com/uploads/1/3/0/4/130477566/roxidos.pdf
    • http://whatthehula.org/uploads/1/3/0/6/130621758/vadekep.pdf
    • http://thebedrockinitiative.org/uploads/1/3/0/3/130379380/8713539.pdf
    • http://miracleinabucket.com/uploads/1/3/0/6/130604848/130604848.html#o+abutre+filme++dublado

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011d2.bin
78a563fcd43ac74b988a64a1440b9f563b1bed62b11bb4148f96ea69216d300e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D2 11096 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.