Malicious PDF — malware analysis report

Static analysis result for SHA-256 209ab7a61bbe66ff…

MALICIOUS

PDF

242.2 KB Authoring application: pdf-parser
MD5: e0895bcadbab0e71a2711a38338632ea SHA-1: dd2925149986ba644ad111027804a6deb8f52d57 SHA-256: 209ab7a61bbe66ff254a8f5cb246bedd5da691e1e0256d3a9218c458d3f06c2f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The document body, despite being heavily obfuscated, contains references to downloading a PDF, and the embedded URLs point to suspicious PDF files. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' and the ML classifier strongly indicate malicious intent. The primary attack pattern involves luring the user to download a malicious PDF disguised as a novel, likely leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9681

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://atrendyblogwithmeg.com/uploads/1/3/0/4/130476703/0f76fefc.pdf
    • http://redwaters.co.uk/uploads/1/3/0/2/130289485/sexowuloj.pdf
    • http://roserinake.m6spotify.com/uploads/2020/01/27/8617691.pdf
    • https://fikavidipilotu.weebly.com/uploads/1/3/0/2/130287505/2527464.pdf
    • http://tuzegewer.help-tao.com/uploads/2020/01/29/zudebuk.pdf
    • http://nomnomnatural.com.au/uploads/1/3/0/5/130550697/266281.pdf
    • http://strangerinmykitchen.com/uploads/1/3/0/4/130488470/famemiliwuwalimebe.pdf
    • http://mulek.notaorg.ru/uploads/2020/01/27/0037bb20.pdf
    • http://financebinom.info/uploads/2020/01/27/vugokep.pdf
    • http://sen.mywaycreative.art/uploads/2020/01/29/6275582.pdf
    • http://lamoradamexico.com/uploads/1/3/0/4/130490451/totukaz-pesanutem-gavapovuxumotid-xizujozin.pdf
    • http://soloforsenate.com/uploads/1/3/0/5/130539734/887641194.pdf
    • http://vuza.agicole-acces.com/uploads/2020/01/28/305a173.pdf
    • http://nrareservations.com/uploads/1/3/0/6/130604300/130604300.html#candide+pdf+free

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001696.bin
3cbe43cb1559611ce8bc0c3c26e2079891934c8f0e4e4ed1856ce3fd230ac208		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1696 11176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.