Malicious PDF — malware analysis report

Static analysis result for SHA-256 1cbee6302202bad4…

MALICIOUS

PDF

41.7 KB Authoring application: SWFTools
MD5: 091ac42033b7608d8f3738c2f2eaa233 SHA-1: 8856253780f8a748fd8be81563602dcd16cbb6f4 SHA-256: 1cbee6302202bad4afb010573b214cecba29001977b44cfbc6d18b835fc720bd
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded URLs, characteristic of a link farm designed to distribute malicious content. The document body explicitly presents a download link for 'TWRP' which redirects to one of these malicious URLs. The ClamAV detection and ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kimbery-barrett.com/uploads/1/3/0/7/130776630/ganuninikamuzoguko.pdf
    • http://kaban.savich.pro/uploads/2020/01/28/rametek.pdf
    • http://blocktekholdings.com/uploads/1/3/0/6/130604532/vezotis-digexivab-taxobezuliduxi.pdf
    • http://athometutoringperth.com/uploads/1/3/0/4/130488970/kapomeduzobamemiwale.pdf
    • http://essentialmatters.com/uploads/1/3/0/6/130620551/1440800.pdf
    • http://photofetch.co/uploads/1/3/0/2/130272396/zulikunimobak.pdf
    • http://okpins.net/uploads/1/3/0/7/130738915/wigovurimosa.pdf
    • http://aulayaiqsimarugut.com/uploads/1/3/0/6/130604338/1145209.pdf
    • http://mimiswords.org/uploads/1/3/0/4/130479513/7a710c7b2e.pdf
    • http://drivebeehive.com/uploads/1/3/0/5/130540037/foxibul-dulitavexobenaw-lafejif-xewilugazaz.pdf
    • http://thepearlwithinyou.com/uploads/1/3/0/6/130603944/5490584.pdf
    • http://nevenann.com/uploads/1/3/0/7/130738646/130738646.html#twrp+for+gt-n8013

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000012fb.bin
9d40effc91a6f06ead2d7ec817fa8cfb817d8b2bf48d6a1807bb206c193228c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12FB 8360 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.