Malicious PDF — malware analysis report

Static analysis result for SHA-256 71275441119234e9…

MALICIOUS

PDF

67.6 KB Authoring application: Scribus
MD5: 834f1207fdeba75321c51eb593284178 SHA-1: d573c24a547707c8ffb56831484373c8dfd51250 SHA-256: 71275441119234e9f9514b46e3fb71c7cea16095ac1b66519d7eaa49ffb2b8c1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file was detected as malicious by ML classifiers and ClamAV, specifically identified as Pdf.Phishing.TtraffRobotInstall. The embedded URLs within the document body strongly suggest a phishing attempt, aiming to trick users into downloading further malicious content. The presence of multiple unknown reputation URLs indicates a likely distribution infrastructure for malicious files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9831

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://metalsbullbear.com/uploads/1/3/0/2/130272909/a16d05b04f.pdf
    • http://deanguedo.com/uploads/1/3/0/4/130436050/0f3024.pdf
    • http://kenglishllc.com/uploads/1/3/0/4/130490719/3588536.pdf
    • https://jotololilesem.weebly.com/uploads/1/3/0/4/130476496/fadifoxifu.pdf
    • http://hello-baby-toys.com/uploads/1/3/0/6/130621772/130621772.html#ho%E1%BA%A1t+h%C3%ACnh+vua+c%C3%A2u+c%C3%A1+ph%E1%BA%A7n+2
    • http://linux.thai.net/projects/fonts-tlwg
    • http://www.thaitux.info
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001221.bin
930d1e849c79a83f6aec27e2e74dd3a94b31ce0b8b7e0a481d1d9b2e132c86b1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1221 9960 bytes
font_01_sfnt_off0000888e.bin
f388a82a4e6ca148db21ceb5af82ffed4857bda8e9fee65a9580be684499df29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x888E 10316 bytes
font_02_sfnt_off00009e2b.bin
5278024270de67705d3a5034a26ce2f5e1d9e53f50705cc770b2190155f81e7b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E2B 6728 bytes
font_03_sfnt_off0000ae88.bin
5cd192291bbdd456ec20b25fa6d29b3d126cc2cb199b558aef23c22895fa0621		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE88 2784 bytes
font_04_sfnt_off0000b98e.bin
10fe64910792afb85bd1f1dc1fe5569c892977fd06053abbb5f3396de0e9b563		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB98E 24464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.