Malicious PDF — malware analysis report

Static analysis result for SHA-256 062258d888924e6b…

MALICIOUS

PDF

44.2 KB Authoring application: Serif PagePlus
MD5: 3fdd438fe38d4a0b9733ebfc8d80c189 SHA-1: 796494d51573299bc712b139917ab3e41d84adec SHA-256: 062258d888924e6b17660dcee1b10b94b97b253838af913b946b2e7802a412de
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains multiple heuristically identified malicious and embedded URLs, with one specifically flagged as a random URL link. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier output strongly indicate malicious intent, likely phishing or a downloader. The document body, though truncated and containing obfuscated text, includes references to URLs that are also present in the extracted URL list, reinforcing the phishing or malware distribution vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://solarlandscapes.net/uploads/1/3/0/5/130588616/bd076.pdf
    • http://walkerlessons.com/uploads/1/3/0/6/130621206/vejifekujelekubabo.pdf
    • http://natationlaval.com/uploads/1/3/0/6/130639201/jerosotu-xejizojugox-kirafej.pdf
    • http://xabuli.ekzolocin-ot-gribka.pro/uploads/2020/01/29/xikowilu.pdf
    • http://corradilab.weebly.com/uploads/1/3/0/6/130621801/genomepilek.pdf
    • http://antiviruseprotectserviceonline.site/uploads/1/3/0/5/130590108/130590108.html#frostgrave+wizard+sheet+pdf
    • http://linux.thai.net/projects/fonts-tlwg
    • http://www.thaitux.info
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010cb.bin
225cdf6d98d8616f6703e11ed09eebf5ff2618b68ef53cfafdb79a6130324455		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10CB 8216 bytes
font_01_sfnt_off000054a5.bin
a75258d3a3a5a1283e6b3c626e9bc4a0603fa53f69a4a60ea63c129a7d4d210f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54A5 13164 bytes
font_02_sfnt_off000071d7.bin
3d52fc27d04b8b84b219df719738f768697e09c2050136bc1fe69fcddf4eca6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71D7 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.