Malicious PDF — malware analysis report

Static analysis result for SHA-256 6e32cc845cca6ad7…

MALICIOUS

PDF

193.4 KB Authoring application: Adobe PDF Library 9.0
MD5: 7d238642a16aeb23b658cc3c6aac7c95 SHA-1: 4bb5dfe856574821e126b489f79208ff4cc040f3 SHA-256: 6e32cc845cca6ad7f00d404cb0a834dec40e5e100e27cc4079595c7c672fdc59
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The sample is a PDF document that contains embedded links to external PDF files, suggesting it is part of a phishing or malware distribution chain. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely related to phishing or malware delivery. The document body, despite being heavily obfuscated, does not provide clear instructions but the presence of multiple external links points towards a downloader or redirector role.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thefirstandforemost.com/uploads/1/3/0/5/130588754/2d08f.pdf
    • http://clue.show/uploads/1/3/0/4/130435611/bc4b85ac9f3b.pdf
    • http://mail.mayflowerofbillings.com/uploads/1/3/0/6/130639147/16880.pdf
    • http://a113n.net/uploads/1/3/0/7/130739538/8428187.pdf
    • http://yogamamacb.com/uploads/1/3/0/5/130547112/6218198979f8815.pdf
    • http://yoniwidesign.com/uploads/1/3/0/3/130379377/bixixen-bafumuwizez.pdf
    • http://younggunsfishingteam.com/uploads/1/3/0/5/130551282/8297657.pdf
    • http://gouravnagar.com/uploads/1/3/0/2/130272070/3908872.pdf
    • http://closingcandlegift.com/uploads/1/3/0/6/130621496/wodivizupoke-xozodezib-jazajavuk.pdf
    • http://www.moneystockoptions.net/uploads/1/3/0/3/130379604/nixizosituzoxe_tomatalodutanaj_fonuxujotoraj_zebaj.pdf
    • http://www.festmonster.com/uploads/1/3/0/5/130543511/vizutexudijibu.pdf
    • http://baconandfeta.com/uploads/1/3/0/3/130323642/7c2d13d92516c.pdf
    • http://g1iw4o.bdgct.com/uploads/1/3/0/8/130814526/130814526.html#sri+aditya+hrudayam+stotram+in+telugu
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00028886.bin
bebd08c962c79dc98d567faaade26e88d58e46a072ef4a672746e5ef35ed3868		 pdf-font-stream PDF embedded font (sfnt) at offset 0x28886 6580 bytes
font_01_sfnt_off00029833.bin
ca889182d22413b1a5b6446cd5d954c095bfc2c8b2fec1022b19199100617195		 pdf-font-stream PDF embedded font (sfnt) at offset 0x29833 16028 bytes
font_02_sfnt_off0002ae87.bin
b1feeb107613a564c893ac27ccd531b7a8e806539e895c3b88cab28f805d1faf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x2AE87 6148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.