Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b9ba545087e43be…

MALICIOUS

PDF

52.7 KB Authoring application: OpenOffice Draw
MD5: 6e165158f98a65ff8d9a27e589bc1e11 SHA-1: 7d8351a53ce372d0863cda714f320dc461514959 SHA-256: 5b9ba545087e43be0a73d77429a8c599b7ff3f1f5a843796f6730561933bdd53
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file was flagged by multiple security tools, including ClamAV and an ML classifier, indicating malicious intent. The document body, though partially corrupted, contains text related to 'Bollywood birthday audio song free' and embeds several URLs that likely serve as lures or download locations for further malicious content. The presence of external URIs suggests an attempt to redirect the user to malicious sites, aligning with phishing or malware distribution tactics.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://petchow2u.com/uploads/1/3/0/5/130551011/niwoda-lalejelewifo-fekefanasuki.pdf
    • http://mrserickagraham.org/uploads/1/3/0/7/130775853/timiz_zakaxizop_narixavowogi.pdf
    • http://alexiscoutu.com/uploads/1/3/0/5/130544703/konitika.pdf
    • https://kirubunidarid.weebly.com/uploads/1/3/0/5/130551630/vaxugelidaxuzopo.pdf
    • http://nobuhotelriyadh-fullsite.devsite-1.com/uploads/1/3/0/5/130588830/130588830.html#bollywood+birthday+audio+song+free
    • http://fedorahosted.org/lohit
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001098.bin
cdf3e289dc91694836f3748a856e9f6d43a715567b796926cc179a63a929760f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1098 8580 bytes
font_01_sfnt_off00006cab.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CAB 1388 bytes
font_02_sfnt_off0000764c.bin
1dfc43e8cdaecacb1c7dfa26ce952f1211224b421fbb8f1ebde6ed5ea99e2538		 pdf-font-stream PDF embedded font (sfnt) at offset 0x764C 14688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.