Malicious PDF — malware analysis report

Static analysis result for SHA-256 7514f80817cce914…

MALICIOUS

PDF

45.4 KB Authoring application: SWFTools
MD5: c57007f21c6d6ecc62f29a14cba7ea29 SHA-1: 1e7787d39b5db2772565d1dd9705df026d3f06e7 SHA-256: 7514f80817cce91410bf131882fc63fee68d8a4acbaad649cb3b6daa1c947bbe
102 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

This PDF file was detected as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. It contains multiple embedded URLs pointing to other PDF or HTML files, suggesting a phishing or redirection attempt. The presence of a visual download button heuristic further supports the conclusion that the document is designed to trick users into downloading malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://amstelkorendag.nl/uploads/1/3/0/4/130476062/8285825.pdf
    • http://newenglandopportunityproject.org/uploads/1/3/0/7/130740537/d9089913.pdf
    • http://servicepartnervanderveenassen.nl/uploads/1/3/0/2/130274370/71d020fc9.pdf
    • http://citizentrack.com/uploads/1/3/0/4/130489361/panara.pdf
    • http://swenwaterreus.com/uploads/1/3/0/5/130588712/zelesumazudu.pdf
    • http://moodlabnewlife.nl/uploads/1/3/0/4/130435743/130435743.html#blackpink+forever+young+video+song
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000010da.bin
358833fbb4c3cb9e564d3b27e96dd338a5acfa027daa4cbd343e7ee16e4c05b4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10DA 8780 bytes
font_01_sfnt_off0000674b.bin
af908810bd72da9cb331966ab388400fa43e117fd4a9b2c0401417d55f153d60		 pdf-font-stream PDF embedded font (sfnt) at offset 0x674B 8104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.