PDF malware analysis — malicious · 9e27bbce8cb51597

MALICIOUS

PDF

37.3 KB Authoring application: Nitro PDF

MD5: 03b301c8593f3f436175784f82d9f122 SHA-1: c5ef84ee4309996a393e2b4a97e9639f3b0b4e1b SHA-256: 9e27bbce8cb51597c1ca8e23a9aeeb9419c51fdf830fb35f8e4f030a9ef0b80a

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document that contains embedded URLs pointing to other PDF files and an HTML file. The document body, though partially corrupted, suggests a lure related to a 'Groin strain rehabilitation protocol'. The presence of multiple external URLs and the ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' strongly indicate a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9995

Heuristics 3

ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://nirvanastorage.net/uploads/1/3/0/4/130483817/e7d0c9532.pdf
- http://severedthumbsart.com/uploads/1/3/0/7/130775594/janizazofene_nusod_fuvez_safibadabu.pdf
- http://metropolismexican-grill.com/uploads/1/3/0/5/130544826/d784d4046a.pdf
- http://woodlandstuition.com/uploads/1/3/0/6/130639652/130639652.html#groin+strain+rehabilitation+protocol+pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00001025.bin` `05e00eac3d2fb82dd6701af95ef5167e045f1184d04912d98c75916c5e4f6452`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1025	8672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.