Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f6ccf83a030b5f3…

MALICIOUS

PDF

40.8 KB Authoring application: Poppler-utils
MD5: 3a99d90bd51c6721d6ebc69344250ff0 SHA-1: 8fbe2de32fa674fabd4f291480eb94276dd5fd34 SHA-256: 5f6ccf83a030b5f3c03b6481af284f5ae699d4640157f2e2f88281882a6a271a
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically identified as a phishing attempt. It contains multiple embedded URLs that likely lead to further malicious content, such as other PDFs. The presence of these URLs and the phishing classification strongly suggest an attempt to trick users into downloading malware or visiting malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://huba.tech/uploads/2020/01/28/e8f07d7e7e34a.pdf
    • http://teshekpuklake.com/uploads/1/3/0/4/130483384/9607888.pdf
    • http://kylaconner.com/uploads/1/3/0/2/130289386/5732762.pdf
    • https://kexatavujex.weebly.com/uploads/1/3/0/6/130604215/jajirimuko.pdf
    • http://bluecubeworkshop.com/uploads/1/3/0/3/130312964/0ea4e07f525b8.pdf
    • http://northwestuu.com/uploads/1/3/0/6/130604737/130604737.html#android+10+call+recording
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001188.bin
f66726cb760c0a9daafc57dfd663534069779169a7bc88eedbe36bc49d6084e2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1188 7596 bytes
font_01_sfnt_off0000526c.bin
0a19d3ec01c2bd5f2da2e654894ff9caac3df97291af1acb5ff150be3e6b34cf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x526C 18100 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.