Malicious PDF — malware analysis report

Static analysis result for SHA-256 b28caf2ddd5cc5b5…

MALICIOUS

PDF

180.2 KB Authoring application: Mobipocket Creator
MD5: e6afa2027f939fddc7ecb988d73b0225 SHA-1: 889bc9c93e12eb676193b09224cedbb2ad94d25b SHA-256: b28caf2ddd5cc5b5f804c00625d0d79d27d63c5e4cb2b71739a76c9d65490769
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The file is a PDF containing multiple embedded URLs, identified by ClamAV as Pdf.Phishing.TtraffRobotInstall-7605656-0. The ML classifier also flagged it as malicious. The embedded URLs likely serve as lures to download further malicious content, such as additional PDFs or executables. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9953

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://505elementsstudios.com/uploads/1/3/0/2/130270979/2ab2b3c5436d647.pdf
    • http://nuohotel-zh.devsite-1.com/uploads/1/3/0/7/130740097/dumipukatuw.pdf
    • http://nyc-distribution-film-festival.org/uploads/1/3/0/4/130436494/xekajezo_juletu_suziwofo_verinusozonewi.pdf
    • http://zachchasman.com/uploads/1/3/0/6/130604326/903eed6cff.pdf
    • http://merz-verlag-en.com/uploads/1/3/0/7/130740458/859773.pdf
    • http://bubblegumfantasies.com/uploads/1/3/0/6/130621952/lazeke.pdf
    • http://erguvanmobilya.com/uploads/1/3/0/6/130622005/robelokuko_regebededujate.pdf
    • http://rollershadeiq.com/uploads/1/3/0/6/130620762/1ee5d79a.pdf
    • http://bitmoremarketing.com/uploads/1/3/0/4/130476722/turoxabadinepoteb.pdf
    • http://formerfdainspector.com/uploads/1/3/0/3/130312961/e9ae5483.pdf
    • http://josephwalker.net/uploads/1/3/0/3/130323581/a5c909ea9a476.pdf
    • http://sensiblesourcing.com/uploads/1/3/0/6/130620471/sejesipisido_desilitokuk_xofam_lafemejope.pdf
    • http://money4real.org/uploads/1/3/0/5/130590550/keremotin-sozinen-petijusi-lifarefalila.pdf
    • http://prisonlifeline.net/uploads/1/3/0/6/130621458/fumepapupelazi.pdf
    • http://oregonphotoco.com/uploads/1/3/0/7/130739488/lozipizujawez.pdf
    • http://cjwalkerbooks.com/uploads/1/3/0/8/130814758/aeb38a40693.pdf
    • http://theleftsock.com/uploads/1/3/0/2/130272095/9d39fceca0.pdf
    • http://airinbudiman.com/uploads/1/3/0/7/130775932/92257fa3.pdf
    • http://westcoastoralfacialsurgery.com/uploads/1/3/0/6/130621013/0651454.pdf
    • http://policetrailer.com/uploads/1/3/0/7/130739204/130739204.html#scalp+acupuncture+points+for+autism

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006abd.bin
71ed75134d20e6bc5cc29282c28481a5ac129012755350d539ee0f62b77a76ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ABD 2700 bytes
font_01_sfnt_off00007751.bin
711c037d0f5da1ca0b0e3962c38beefad7b5fd4b9d320557411027f98e1f1359		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7751 9500 bytes
font_02_sfnt_off00014dde.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14DDE 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.