Malicious PDF — malware analysis report

Static analysis result for SHA-256 331f1f7126d81528…

MALICIOUS

PDF

44.6 KB Authoring application: pstoedit
MD5: e8454b9ff1fc8bce9102d6279386075c SHA-1: 913eba9d7193c86dc9c493f838d7c536e554fee2 SHA-256: 331f1f7126d8152850fd51456e255b92208bb23fd476bf5256c0447b9fc3d32e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is a PDF document identified as malicious by multiple detection engines, including ClamAV and an ML classifier. It contains numerous embedded URLs, all of which point to external PDF or HTML files hosted on suspicious domains. The document body, though partially obfuscated, suggests a lure related to a 'Framed ink book pdf' to entice users to click these links and download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://xafesunox.goodbreak.ru/uploads/2020/01/28/706442.pdf
    • http://nmcawomenscricket.com/uploads/1/3/0/4/130483191/dovoziroxinukewu.pdf
    • http://kefemaked.bonita-casa.ru/uploads/2020/01/29/nekekisidasa-pulojitor-wedodopaz.pdf
    • http://onthemoveholistichealth.com/uploads/1/3/0/4/130489958/5853553.pdf
    • http://xad.rusdosug-24love.fun/uploads/2020/01/29/kisafukimiv.pdf
    • http://foothillsbiblefellowship.com/uploads/1/3/0/6/130620874/130620874.html#framed+ink+book+pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010ad.bin
b02d7b0d2d4c2c199e4323ae553a7a5a88a76a03d12a4bdaf86dc0d68c452ba6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10AD 8264 bytes
font_01_sfnt_off00007457.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7457 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.