Malicious PDF — malware analysis report

Static analysis result for SHA-256 d61cc0893761ea08…

MALICIOUS

PDF

26.9 KB Authoring application: QPDF
MD5: aad3078860bc558145086f783b012dd0 SHA-1: 843099ccacc8e1f5b6a02810a7e15da8900c3cd0 SHA-256: d61cc0893761ea08d9c4c3213fd8aefbaf0cb9edc12cc59cba320843db944fdb
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document that contains embedded URLs pointing to other PDF files and an HTML file. The document body text, though partially corrupted, suggests it is a referral form, likely a lure to encourage users to download and open the linked malicious content. ClamAV detection as 'Pdf.Phishing.TtraffRobotInstall' further supports a phishing-related attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newimagesfencing.com/uploads/1/3/0/3/130313488/butufigu-xinenubuje.pdf
    • http://futejor.archisidek.com/uploads/2020/01/28/5778674.pdf
    • http://lyonchambers.com/uploads/1/3/0/4/130483902/gopuviv.pdf
    • http://kylaconner.com/uploads/1/3/0/7/130775641/130775641.html#ataps+referral+form+gold+coast

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f21.bin
7bb9a91598bb00c798d0f8528062d0887942d1b2978a5ec92d51f0b99fe4ebc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF21 7012 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.