MALICIOUS
92
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1204.002 Malicious File
The file is a PDF document detected as malicious by ClamAV and an ML classifier, specifically identified as a phishing attempt. The document body, though heavily obfuscated, contains references to 'Firewall apk mirror' and multiple URLs pointing to other PDF files, suggesting a lure to download further malicious content. The presence of external URIs and embedded URLs strongly indicates a phishing or social engineering attack.
Machine Learning
- Nyx PDF Classifier malicious score 0.9999
Heuristics 3
-
ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
-
External URI info PDF_URIPDF contains an external URL action
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://koerpertherapie-massagen.com/uploads/1/3/0/6/130604185/3720268.pdf
- http://miupnorthwedding.com/uploads/1/3/0/5/130588784/f0517ec51966.pdf
- http://houseofmapa.com/uploads/1/3/0/2/130288361/1599786.pdf
- http://newmoses.com/uploads/1/3/0/3/130323738/1a1ae3b25.pdf
- http://ineedexercise.com/uploads/1/3/0/4/130435555/9910155.pdf
- http://mychinesewatch.com/uploads/1/3/0/6/130604874/130604874.html#firewall+apk+mirror
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off000010b8.bin2b76ff807e7963de4230e9db811e2d01cba2c4c0328c25c87c5add9802dd21f3 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x10B8 | 9516 bytes |
font_01_sfnt_off000060c5.bin50dc865112b31b8628c9170d82daeefa18b8227744a71909c0440548ffdcd4ea |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x60C5 | 16132 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.