Malicious PDF — malware analysis report

Static analysis result for SHA-256 84a45afd9bfb69c8…

MALICIOUS

PDF

156.1 KB Authoring application: Soda PDF
MD5: d2826b8887914561212f0da55f50933e SHA-1: 02895405ba01d3e22c293f24504fe93925c42aa0 SHA-256: 84a45afd9bfb69c8f307080c878fa186d4a77626362ae767aca608fd1ee697ac
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The sample is a PDF document that contains multiple embedded URLs pointing to other PDF files. The document body, though partially obfuscated, references medical guidelines, suggesting a lure to trick users into downloading further malicious content. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' and the ML classifier output strongly indicate malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9965

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://urbanrips.com/uploads/1/3/0/6/130604294/2e6d944e9f1cde.pdf
    • http://costaricapremiumrealtors.com/uploads/1/3/0/3/130313198/a01a654006e385.pdf
    • http://theblockhousecafe.com/uploads/1/3/0/6/130620168/dizeti-neseparatetudeg-mebegad-bivudalugipet.pdf
    • http://equinoxtalks.com/uploads/1/3/0/6/130604982/dupaluresazugenum.pdf
    • http://abovetumblerridge.ca/uploads/1/3/0/3/130313495/55beed13.pdf
    • http://floydfx.com/uploads/1/3/0/6/130640010/gagosuxi_zogenemo_tepiberodes.pdf
    • http://kyawomen.com/uploads/1/3/0/4/130489159/6653862.pdf
    • http://kchcapital.com/uploads/1/3/0/4/130489220/b518a.pdf
    • http://babystepstosuccessfcc.com/uploads/1/3/0/4/130476447/tojegu_jukatis.pdf
    • http://mysoundcollective.com/uploads/1/3/0/4/130489523/130489523.html#acc%2Faha+2012+guidelines+on+perioperative+cardiovascular+evaluation+and+care+for+noncardiac+surgery

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000147e.bin
f0f13d5c21a4f0abc256b9ed3493047debb453849c21d5bbb9112471f5c8f265		 pdf-font-stream PDF embedded font (sfnt) at offset 0x147E 8500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.