Malicious PDF — malware analysis report

Static analysis result for SHA-256 070ad58b05381685…

MALICIOUS

PDF

221.8 KB Authoring application: Smallpdf Desktop
MD5: c95aa5a39b35a84f88183e813bb52184 SHA-1: 345db193daec6298bebec8a3a94c702098f724f0 SHA-256: 070ad58b053816857e72ece7b61d1e6b46ebc7f818c7b8104f97f766f65147b1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The file was detected as malicious by multiple engines, including ClamAV, which identified it as Pdf.Phishing.TtraffRobotInstall. The embedded URLs suggest a phishing attempt where the user is directed to download a malicious PDF. Although no scripts were explicitly extracted, the PDF structure and embedded URIs are indicative of a malicious document designed to trick users into downloading further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9705

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://longlifetherapy.com/uploads/1/3/0/6/130620670/ac02f.pdf
    • http://enfieldcollectables.store/uploads/1/3/0/8/130814459/2572230.pdf
    • http://mytjscatering.com/uploads/1/3/0/5/130590531/suvuj.pdf
    • http://www.dwtsetx.com/uploads/1/3/0/8/130814245/7588059.pdf
    • http://perfectionsyards.com/uploads/1/3/0/7/130776734/dikepape.pdf
    • http://hostmaster.watersgreendental.co.uk/uploads/1/3/0/6/130604519/gidumik_toxed.pdf
    • http://consultupstate.com/uploads/1/3/0/5/130551433/b81713cc866f6b.pdf
    • http://www.dadfinitely.com/uploads/1/3/0/6/130620964/6818649.pdf
    • http://naifalouisiana.net/uploads/1/3/0/6/130620544/3c0a7437b.pdf
    • http://zionbasketball.com/uploads/1/3/0/3/130313102/xubifetogemisiw.pdf
    • http://mywnydreamhome.com/uploads/1/3/0/7/130740117/duwagozose.pdf
    • http://triosimplantdentallab.com/uploads/1/3/0/6/130604048/solasuf.pdf
    • http://mybluejeansbookkeeping.com/uploads/1/3/0/2/130273733/zejamavovevu-tabasiv-salukevu.pdf
    • http://www.christianwomenunited.org/uploads/1/3/0/6/130604009/67b303a374.pdf
    • http://elpasoborderyouth.org/uploads/1/3/0/7/130775746/1306329.pdf
    • http://romelocaltourguides.com/uploads/1/3/0/6/130639368/rezarapewusil.pdf
    • http://nexts-lab.com/uploads/1/3/0/9/130969639/fijebusubebefu.pdf
    • http://paxinter.net/uploads/1/3/0/6/130622042/5daf2.pdf
    • http://nomadic-chris.com/uploads/1/3/0/3/130323767/4559771.pdf
    • http://phonic88.com/uploads/1/3/0/2/130288630/raxuparuxedosidepizo.pdf
    • http://eltonsherwin.com/uploads/1/3/0/7/130776022/kutalazujewanaw-sidofirepazom.pdf
    • http://www.tinytreasurespreschoolinfo.org/uploads/1/3/0/6/130603945/lowuzenek.pdf
    • http://www.iamimagemusic.com/uploads/1/3/0/7/130775688/2125671.pdf
    • http://www.e-learninglight.com/uploads/1/3/0/6/130605162/e21b25d6ab4d38.pdf
    • http://thesoarmethod.com/uploads/1/3/0/2/130291724/117039.pdf
    • http://joshleephotojournalist.org/uploads/1/3/0/6/130639784/130639784.html#icao+airport+code+excel

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003c31.bin
277989b016ab652bde580c38ef7d0636652f50664fbf66575dcc6ecf70713d35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3C31 8024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.