Malicious PDF — malware analysis report

Static analysis result for SHA-256 bc0b3b681fa27372…

MALICIOUS

PDF

1.31 MB Authoring application: ImageMagick
MD5: 36bd8408853680396bf66d0315f0a534 SHA-1: fc8759cba4944936213a280027842e61d16c9c4e SHA-256: bc0b3b681fa27372c2752a9ad32ee05c3632db736dc22fada2a3bf9a558a9fa3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The file is identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed an embedded URI pointing to a suspicious domain, which is likely part of a phishing or malware distribution scheme. The document body contains garbled text, suggesting it is not intended for human readability but rather to host malicious content or exploit.

Machine Learning

  • Nyx PDF Classifier clean score 0.0104

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://northeastwisconsinwelding.com/uploads/1/3/0/7/130738771/7687644.pdf
    • https://fuwudadugameso.weebly.com/uploads/1/3/0/5/130588225/xexatunavoto.pdf
    • http://basementcityproductions.com/uploads/1/3/0/5/130543798/80696b8739fe3.pdf
    • http://dhvaniwedsvimal.com/uploads/1/3/0/7/130776125/9006685.pdf
    • http://ndsucceed.com/uploads/1/3/0/7/130739082/e3865c930cbd.pdf
    • http://thewaxmeltfactory.com/uploads/1/3/0/8/130814205/f858a60330.pdf
    • http://context-imaging.com.au/uploads/1/3/0/4/130489361/rusuge.pdf
    • http://masalanproject.com/uploads/1/3/0/2/130289466/jibanef.pdf
    • http://petcura.net/uploads/1/3/0/7/130739793/nerumuv_tineparejif_pezobusozuju.pdf
    • http://pordenone.rocks/uploads/1/3/0/5/130588613/2856421.pdf
    • http://djspizza1.com/uploads/1/3/0/5/130588346/wagusoj.pdf
    • http://yaamardance.com/uploads/1/3/0/7/130776250/3761464.pdf
    • http://omtoys.com/uploads/1/3/0/5/130544230/vulenusobaxe_tiwugimexumuzix_zitizep_vimanijavuk.pdf
    • http://yardsalessource.com/uploads/1/3/0/6/130639091/jebomovibizal.pdf
    • http://neneliciouslingerie.com/uploads/1/3/0/5/130590478/lerinipeximumo.pdf
    • http://creationsbyintention.com/uploads/1/3/0/7/130739688/rinabaf.pdf
    • http://blkafrodite.space/uploads/1/3/0/2/130289363/8956482.pdf
    • http://sonsetministries.com/uploads/1/3/0/6/130621890/tolek.pdf
    • http://nealcm.com/uploads/1/3/0/6/130639443/9620879.pdf
    • http://ntwc.group/uploads/1/3/0/3/130323566/e184dc2a.pdf
    • http://lycranetwork.com/uploads/1/3/0/5/130545199/96ec958.pdf
    • http://kylaconner.com/uploads/1/3/0/6/130621477/130621477.html#heterocyclic+compounds+pdf
    • http://omtoys.com/up

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000440f.bin
8be86ba5958c9b2d685f956a7dda826f2891d8e6d58f742393c5a9ffa90cc941		 pdf-font-stream PDF embedded font (sfnt) at offset 0x440F 4496 bytes
font_01_sfnt_off00005782.bin
6c61288e7542be267e298cbe08b0c359813f8dd8dd78fb22b3e33559d2a9beac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5782 14580 bytes
font_02_sfnt_off0009a857.bin
61ca593122bdf9f8d2de89784c713a2b278bdd5b054eff5a59c50fd3ef05b3a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A857 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.