Malicious PDF — malware analysis report

Static analysis result for SHA-256 d5ca02a82bf2ca3b…

MALICIOUS

PDF

256.4 KB Authoring application: ImageMagick
MD5: 1ee50b27c2e39815edcc84f3c8a3921a SHA-1: 1dc3184dcac51af2f7ab090bc4aa1926b7eb3ccc SHA-256: d5ca02a82bf2ca3b5412d5ca61ac2791741e4cecccf6dd2cd007219e5172844d
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF containing multiple embedded URIs pointing to other PDF files, indicating a phishing or redirection attempt. The ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier's high confidence score further support this assessment. The embedded URLs are likely used to deliver further malicious content or lead the user to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9217

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://calljasonmyers.com/uploads/1/3/0/6/130621542/de3e625773abe.pdf
    • http://senalista.com/uploads/1/3/0/5/130540072/namupananodipuzofe.pdf
    • http://pchelpformom.net/uploads/1/3/0/6/130621203/xozupotexatur.pdf
    • http://zibiwupi.spagid.com/uploads/2020/01/28/8125524.pdf
    • http://rooftopmissions.com/uploads/1/3/0/4/130489351/d16972ad2e.pdf
    • http://knoxfoodtours.com/uploads/1/3/0/5/130551140/179064.pdf
    • http://trfmontpelier.com/uploads/1/3/0/3/130323531/vesakesinubugax_lefozum.pdf
    • http://musiccitypetpartners.net/uploads/1/3/0/6/130604429/pujoz.pdf
    • http://designersfashionexperiences.weebly.com/uploads/1/3/0/6/130605283/zesutinirole_vidokixuzuliju.pdf
    • http://becausegoodness.com/uploads/1/3/0/6/130604574/8b95c.pdf
    • http://petpalspetandhomecare.com/uploads/1/3/0/4/130488530/54c89c10b7b09f.pdf
    • https://muzetikoxufam.weebly.com/uploads/1/3/0/4/130476385/vimonijapip-birugozub-megemowaso.pdf
    • http://tcsonline.net/uploads/1/3/0/5/130589400/130589400.html#dark+souls+3+cinders+mod

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000016a9.bin
c0b9a5502fab090a0750d20ef269227a684d4838905bd6b331b152c1e3f1a3d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x16A9 8716 bytes
font_01_sfnt_off00008841.bin
fac38433125b026a93ccf7d28d93a1c45c6e5eb06370aed4cdb2a5f713cb8396		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8841 13116 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.