Malicious PDF — malware analysis report

Static analysis result for SHA-256 216d9caf89ca2d13…

MALICIOUS

PDF

47.4 KB Authoring application: ImageMagick
MD5: c54498c3298b7cf22ad82dd165ca88f2 SHA-1: 2bbefab2ce626384f7622c51a5a392dba9dbde91 SHA-256: 216d9caf89ca2d134faccec82629a1c75485b2cb0e174481681344511a09d527
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF containing multiple embedded URLs, identified by the PDF_URI heuristic. The ClamAV detection and ML classifier strongly indicate maliciousness, specifically classifying it as phishing. The embedded URLs likely lead to further malicious content or phishing pages, as suggested by the 'Pdf.Phishing.TtraffRobotInstall-7605656-0' ClamAV signature.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xoadd.me/uploads/1/3/0/7/130739087/1627191.pdf
    • http://nashvilleweaverwedding.com/uploads/1/3/0/6/130620769/1858a5d7cad45c9.pdf
    • http://momentsbyval.com/uploads/1/3/0/4/130435556/tekidopazazozokawaxi.pdf
    • http://naturebandz.com/uploads/1/3/0/6/130622038/duxakudata.pdf
    • http://academy.hashtagpositivity.com/uploads/1/3/0/5/130551402/vuriloz_pekuwipazim.pdf
    • http://nuobeijinghotel-chinese.devsite-1.com/uploads/1/3/0/5/130589339/130589339.html#legend+of+zelda+ocarina+of+time+master+quest

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001104.bin
8ff7622f92bbfb7f209d8f5e2755bb3793d3a212f3a8031736642520370438d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1104 8764 bytes
font_01_sfnt_off0000644a.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x644A 2652 bytes
font_02_sfnt_off00006db2.bin
c59b8e96f63cbdd235a0b1b1a1d59b541fe0e20914103a091d0c077fe7f5b8ed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DB2 8300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.