Malicious PDF — malware analysis report

Static analysis result for SHA-256 aa6332189c8e5e0c…

MALICIOUS

PDF

40.0 KB Authoring application: PDFedit
MD5: af2bfaa429d0df554c54a1ba5cdbe9c0 SHA-1: bb8481239d6b5996c1847d3b31630f6c4c64c363 SHA-256: aa6332189c8e5e0c7ba2e049c0f9a49e49fd4494da8e1d1264141f6fb5c886c8
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document detected by ClamAV as 'Pdf.Phishing.TtraffRobotInstall-7605656-0'. It contains multiple embedded URLs, one of which is also flagged by a PDF URI heuristic. The document body, though heavily obfuscated, contains references to 'Get your guide paris food tour', suggesting a lure to download further malicious content. The presence of multiple similar URLs indicates a phishing or social engineering attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jufo.toutusage.com/uploads/2020/01/28/e52352.pdf
    • http://banyantreeconsulting.co.uk/uploads/1/3/0/2/130289543/butixem-newato.pdf
    • http://carolynrim.com/uploads/1/3/0/6/130604306/dudoxuwetupomawix.pdf
    • http://deanvukelicstonemason.com/uploads/1/3/0/5/130539078/9418089.pdf
    • http://sandyspringspestpros.com/uploads/1/3/0/4/130435833/kijajagabemipiz.pdf
    • http://newstylemarket.com/uploads/1/3/0/7/130775758/130775758.html#get+your+guide+paris+food+tour

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000110c.bin
d1915d5f7636fe1ff2ca3813e9253886c0e8688277cdbf018da3b23b0f5b358e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x110C 10124 bytes
font_01_sfnt_off00005482.bin
6e33c1ebd08e9cb297a10070118ba295f2a592f739d2349220314ae527170031		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5482 16484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.