PDF malware analysis — malicious · 6fde728da8911528

MALICIOUS

PDF

78.0 KB Authoring application: Nitro PDF

MD5: 624f275809076d5ffa184ec05ed4f119 SHA-1: ed5fd1c080700e7ec421c3d6f4a2b03451ccb1e9 SHA-256: 6fde728da89115284e69eeb300bf871d86a1ee78edc048a4b921c17ee142e077

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The sample was detected as malicious by ClamAV and an ML classifier, indicating a high likelihood of malicious intent. It contains an embedded URI pointing to a PDF file hosted on altasanacion.net, which is likely a lure to download a second-stage payload. The document body contains obfuscated text and references to legitimate frameworks, likely to appear trustworthy.

Machine Learning

Nyx PDF Classifier malicious score 0.9951

Heuristics 3

ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://altasanacion.net/uploads/1/3/0/5/130589430/taludivefowuwiw-jusejomazaz-ruwilemaloxepo-zupevonuleposed.pdf
- https://zerorenomurakur.weebly.com/uploads/1/3/0/5/130550981/fecab3.pdf
- http://var.site-elit.ru/uploads/2020/01/28/dfefbe1f.pdf
- http://gochu.ru/uploads/2020/01/28/sagod.pdf
- http://newstylemarket.com/uploads/1/3/0/5/130541384/130541384.html#malcolm+baldrige+performance+excellence+framework
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00001127.bin` `ea74ed5db8400d7fb6a1210ffb4d7e64543681befabe6d5249e1a16d72c2b675`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1127	9184 bytes
`font_01_sfnt_off00005e73.bin` `41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E73	2600 bytes
`font_02_sfnt_off0000ed64.bin` `f77ae30e2eec2ca3578253c0a086b7b4bc83d4d366503269d9bfd12176ed9dae`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xED64	16040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.