Malicious PDF — malware analysis report

Static analysis result for SHA-256 746b893fb72ef436…

MALICIOUS

PDF

45.6 KB Authoring application: Karbon
MD5: 70a2871d4c052cf1e414e72307cf9b56 SHA-1: 03f55179d610c7fc64e3acbd8358fd6e21bf4235 SHA-256: 746b893fb72ef4369d0768d12be89b6fa838fc7b547dc09c7e7e9f1adf9d117e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The file is a PDF document that contains multiple external URLs, one of which is directly referenced in the document body. The ClamAV detection and ML classifier strongly indicate maliciousness, specifically related to phishing. The embedded URLs likely serve as lures to download further malicious content, such as the PDF itself or other payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hollandghanaplatform.net/uploads/1/3/0/4/130476053/9115190.pdf
    • http://tohnnyandmicah.com/uploads/1/3/0/5/130588182/ebd824dc361.pdf
    • http://somethinghoppy.com/uploads/1/3/0/4/130483650/wetifisirulomelexav.pdf
    • http://ful.myagent.pro/uploads/2020/01/28/dixitozamamovez-juwetizo-xusumapusomufi-lajatijiwam.pdf
    • http://jape.gruzotaxi-nv.ru/uploads/2020/01/28/fivetuvewiwos.pdf
    • http://riversidecountyhistory.org/uploads/1/3/0/6/130604860/130604860.html#alimentos+con+vitamina+d+pdf
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010a9.bin
dc7d81e0338fbcca1beb2a6d9b1ceec276c6bf4f987b3fb3bb84641f4ec5c308		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10A9 8696 bytes
font_01_sfnt_off00006cae.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CAE 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.