Malicious PDF — malware analysis report

Static analysis result for SHA-256 a61c6139e0d102af…

MALICIOUS

PDF

44.5 KB Authoring application: Poppler-utils
MD5: e63f953557eca671a47ee1821b6cfed7 SHA-1: 4400f19046b5e00b3b16316d653d062f04d2d232 SHA-256: a61c6139e0d102af166180e86fd63c1cf58d0238309a5f107c40bd47552db174
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document that uses a lure related to 'Pulmonary oedema symptoms' to trick the user into interacting with it. It contains multiple external URIs pointing to other PDF files, suggesting a phishing or social engineering campaign. The ML classifier and ClamAV detection strongly indicate malicious intent, likely for distributing further malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://solomanproject.com/uploads/1/3/0/8/130813876/3505458.pdf
    • http://getfreepix.com/uploads/1/3/0/7/130739982/xodanijexagimubibot.pdf
    • http://usseawolf.com/uploads/1/3/0/4/130435583/8174728.pdf
    • http://okashi.be/uploads/1/3/0/2/130289554/xojoji.pdf
    • http://bradleypwright.com/uploads/1/3/0/5/130589318/buvugukemu-gubuvovoxez-fiwesevutuvilo-magafuvegibum.pdf
    • http://allergy.mediutopia.com/uploads/1/3/0/7/130775277/130775277.html#pulmonary+oedema+symptoms

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000107b.bin
669c9d812bd7beed53c45e33a993b7c7360cff09cad55a0348272386c7bf383b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x107B 8192 bytes
font_01_sfnt_off000059c8.bin
33d0404465bbc0ce3bbd6d7dc579b28366e2a365c03c24711b24ab5cbe567aeb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59C8 16216 bytes
font_02_sfnt_off00006ebb.bin
5745d062e84a310dca320cb45877f12536b710682adbc25cf03d116cb705ec80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EBB 4060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.