Malicious PDF — malware analysis report

Static analysis result for SHA-256 ef101a8580c6c907…

MALICIOUS

PDF

153.4 KB Authoring application: Pdftk
MD5: 655b9a3c388f24366b5731b4b32f1144 SHA-1: 14610dc0559a026a164469e40aec920476716f82 SHA-256: ef101a8580c6c907e324d8644bf7bbf834c107be4b1bd16deea5956d363b4842
110 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The document contains a lure related to payment redirection, suggesting a business email compromise or phishing attempt. The presence of multiple embedded URLs, including one pointing to a PDF hosted on weebly.com, indicates a likely attempt to redirect the user to malicious content. The ClamAV detection further supports the malicious classification.

Heuristics 5

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Payment redirection / bank-detail change lure high SE_PAYMENT_REDIRECT_LURE
    Document describes new or changed bank, wire, ACH, IBAN, SWIFT, or routing instructions — a high-value business-email-compromise pattern
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://bomixabiwitajij.weebly.com/uploads/1/3/0/2/130291545/denesikik_devaman_kemufowi.pdf
    • http://bonys-clinic.ru/uploads/2020/01/27/poditixo.pdf
    • http://allamericandogexpo.com/uploads/1/3/0/4/130476458/7783151.pdf
    • http://beres.wiki-compac.info/uploads/2020/01/27/zilinisugizaw.pdf
    • http://fawibu.milalevchuc.info/uploads/2020/01/29/bopuwow_soxipupufeju_nigena.pdf
    • http://mthornhill.weebly.com/uploads/1/3/0/4/130436163/gosanedibikanu.pdf
    • http://pakuni.cryo-mag.ru/uploads/2020/01/28/zareviled.pdf
    • http://aquariumsalesandservice.com/uploads/1/3/0/5/130543170/616320.pdf
    • http://nickygibbsdance.weebly.com/uploads/1/3/0/6/130639661/04d4082c.pdf
    • http://middleschoollessons.com/uploads/1/3/0/2/130270991/efe7417b2.pdf
    • https://suzeviposavuru.weebly.com/uploads/1/3/0/5/130539885/2026944.pdf
    • http://kinderdagverblijfzandopdemat.nl/uploads/1/3/0/5/130538859/wasokisoku-zejafobabiji.pdf
    • http://now.barcelonaswing.cat/uploads/2020/01/27/2114191.pdf
    • http://nashvilledancecooperative.net/uploads/1/3/0/2/130274166/0b038905a636.pdf
    • http://mexonthemenu.com/uploads/1/3/0/6/130604730/wefoxodilurawowepex.pdf
    • http://stokesed508webpage.com/uploads/1/3/0/4/130436415/130436415.html#comptia+network++pdf+study+guide

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000164a.bin
ab3299754ad8a86cd0976296e0399105dc707944e8561c61476982c2facd4d5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x164A 8724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.