Malicious PDF — malware analysis report

Static analysis result for SHA-256 db92d60f975eab9e…

MALICIOUS

PDF

153.9 KB Authoring application: Poppler-utils
MD5: 368757055c8d180c43f69f92191766f5 SHA-1: 519498f2803bc081d1f037bd3544cf80395c3f92 SHA-256: db92d60f975eab9e567233d7e4f33c3b2f5f631c0a3adf66c648acc8a3ab0856
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document that contains multiple embedded URLs, several of which are flagged as suspicious and lead to PDF files. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' strongly suggests a phishing or malicious traffic redirection intent. The ML classifier also flagged the document with high confidence. The document body contains obfuscated text and references to Android x86 and VMware, which may be part of a lure or exploit chain.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9484

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://poshgroom.com/uploads/1/3/0/5/130539267/xozef-ragov.pdf
    • http://mikesrefinishing.com/uploads/1/3/0/5/130590273/2260604.pdf
    • https://tovozowi.weebly.com/uploads/1/3/0/4/130476390/7d9664d.pdf
    • http://kil.digitalein.com/uploads/2020/01/28/6280255.pdf
    • http://charlie-myers.com/uploads/1/3/0/6/130621859/kepuluxiliman.pdf
    • http://meteorcrater.us/uploads/1/3/0/6/130639855/xuwudexegifiku.pdf
    • http://lavernerosephotograpghy.com/uploads/1/3/0/6/130621307/780d3ffd6f7.pdf
    • http://sandandgraveldelivery.com/uploads/1/3/0/7/130739625/130739625.html#android+x86+vmware+adb+connect

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off0000b4df.bin
663196faf734e1ad547327dd56c4100bdde12d1d175f5ce910a0dbbca88db34a		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xB4DF 132928 bytes
font_00_sfnt_off00001326.bin
b66c46d171df9a1c00264637dbc1180360e23d3bf1c455b7ac4a79b909ec131a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1326 8412 bytes
font_01_sfnt_off00008a5c.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A5C 16036 bytes
font_02_sfnt_off00009e73.bin
e8c95f7b1af78f81c130bf67af8ad8c7b0efc62fface0895e497fb6eff2689b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9E73 2776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.