Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3c030d1a82ac601…

MALICIOUS

PDF

44.6 KB Authoring application: PDFBox
MD5: a3af57e52f0651f73686fedad2a6e3e5 SHA-1: f25ea3ebdaaf5a9ee3f0ffb63cf6bf6d60220b44 SHA-256: d3c030d1a82ac60117e08084feb166621715b8a72ec01d74020ed9486dea098b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document that contains multiple embedded URLs. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely phishing. The embedded URLs are the primary means of delivering the malicious payload, directing users to download further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://test-person-reg.com/uploads/2020/01/28/bozuwelu_vimib_joguti.pdf
    • http://calvinsynclare.com/uploads/1/3/0/7/130775049/gudikazulorobofit.pdf
    • http://bwstook.com/uploads/1/3/0/7/130739389/rebanorus-lefejobomuz-dajetokifiz-naguwix.pdf
    • http://skylighthk.com/uploads/1/3/0/5/130545434/0002a19038063.pdf
    • http://carpetcleancary.com/uploads/1/3/0/6/130603976/130603976.html#dn80+butterfly+valve+3d+model

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000108b.bin
b486d17336977b6646721fe2da617813d6bddea6f748ff48df44f9f7931ab2b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x108B 9080 bytes
font_01_sfnt_off00005ef3.bin
3d52fc27d04b8b84b219df719738f768697e09c2050136bc1fe69fcddf4eca6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EF3 2652 bytes
font_02_sfnt_off000067cc.bin
667a33df7c9e52f165f3e60ff71eb391fc86bca77a1f35e0ac0215f7b07e6997		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67CC 16148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.