Malicious PDF — malware analysis report

Static analysis result for SHA-256 63b92541dcf0db13…

MALICIOUS

PDF

150.3 KB Authoring application: Nitro PDF
MD5: 561445b5a4230608e0aebeb43837941a SHA-1: f571e61855d420f9c987ee0754c093d0bc24bac5 SHA-256: 63b92541dcf0db13d93fe560bbd659846d8eed008ac6ae24d261197b7a33f8a3
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains numerous embedded URLs, suggesting a phishing or malware distribution scheme. The document body, though heavily obfuscated, does not provide clear instructions but the presence of external URIs points to an attempt to redirect the user to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9966

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jasonandjulie.net/uploads/1/3/0/6/130620542/lubimu_dupipebore_tosulidupugit.pdf
    • http://471633614246918175.com/uploads/1/3/0/3/130313500/lawamivedokado.pdf
    • http://woodland-acres.com/uploads/1/3/0/2/130288406/zujuparedemexokib.pdf
    • http://digitalassetsolutions.net/uploads/1/3/0/7/130776826/741a6530c2af66.pdf
    • http://sublimetravels.com/uploads/1/3/0/7/130739119/demalanuma.pdf
    • http://turpinenterprises.com/uploads/1/3/0/7/130738805/f06457c7ba3.pdf
    • http://brennankryan.com/uploads/1/3/0/7/130738603/7865136.pdf
    • http://nettletonband.com/uploads/1/3/0/8/130813860/powixogeg.pdf
    • http://mustangtrucktiresupplier.com/uploads/1/3/0/4/130435892/52b06ed1b5.pdf
    • http://xgens.org/uploads/1/3/0/2/130291434/pineludi.pdf
    • http://commstech-hub.eisf.eu/uploads/1/3/0/8/130813032/lufojago-kuwowo-mubego.pdf
    • http://plexan.net/uploads/1/3/0/5/130589444/1571980.pdf
    • http://www.gainesvillesepticpros.com/uploads/1/3/0/6/130639201/lajimawene.pdf
    • http://businessrescuene.com/uploads/1/3/0/6/130639419/2416565.pdf
    • http://isabellecharbonnet.com/uploads/1/3/0/5/130539928/4b2db.pdf
    • http://adoptme.info/uploads/1/3/0/3/130323506/fonusikez_dopawejuzepi_kujopoki.pdf
    • http://www.spikedias.com/uploads/1/3/0/6/130620228/3e548.pdf
    • http://pobopdx.org/uploads/1/3/0/8/130874495/a5ec0c.pdf
    • http://apolloniacampaign.info/uploads/1/3/0/8/130814851/5c9a069a0410.pdf
    • http://www.autoled.co/uploads/1/3/0/7/130739597/9663618.pdf
    • http://whythedogdied.com/uploads/1/3/0/5/130543188/7385225.pdf
    • http://host178.carmichaelnl.com/uploads/1/3/0/4/130476339/130476339.html#eenadu+news+paper+telugu+ap
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001e419.bin
ca889182d22413b1a5b6446cd5d954c095bfc2c8b2fec1022b19199100617195		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E419 16028 bytes
font_01_sfnt_off0001fa5a.bin
19922a574bd8c41c38d4f6116c385401026d48533aa2dbc90238d26b9f081275		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FA5A 6008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.