Malicious PDF — malware analysis report

Static analysis result for SHA-256 12831b152d0276a8…

MALICIOUS

PDF

40.6 KB Authoring application: pstoedit
MD5: f1dce8b6b9af1e15a45d88e66bfcb5b3 SHA-1: 16c572512847817283e968380979103052e3cb9c SHA-256: 12831b152d0276a83d519709ea36b3e1d820e50d90505facab4160bb78d72aba
134 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample is a PDF document containing multiple embedded URLs, one of which is algorithmically generated and points to a potentially malicious HTML file. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and ML classification further indicate malicious intent. The presence of these links suggests the document is designed to redirect users to malicious content, likely for phishing or to download further malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artsequences.com/uploads/1/3/0/5/130551197/09aa0a.pdf
    • http://admygrax.weebly.com/uploads/1/3/0/6/130603811/2507545.pdf
    • http://mosquitomaster.net/uploads/1/3/0/4/130435743/fuvowiguf-kaxisonepaborem-kivonutate.pdf
    • http://xxx666xxx.site/uploads/1/3/0/6/130604065/6339657.pdf
    • http://antiviruseprotectserviceonline.site/uploads/1/3/0/6/130639966/130639966.html#inductive+and+deductive+reasoning+definition+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001063.bin
c24d6a3ca2994fc21778ac72de9820ae645a6b1ec67742791772012ade4f42fd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1063 8500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.