Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd14386cca032476…

MALICIOUS

PDF

36.1 KB Authoring application: Nitro PDF
MD5: 5690dd5e130694c95c45fd517be5970b SHA-1: d8248d313cbe9477d3e1d0c649598d70583f61ce SHA-256: dd14386cca032476aada62f8c58464af740b72a18f33e5e3c25c0c077201e688
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Pdf.Phishing.TtraffRobotInstall-7605656-0. Static analysis revealed embedded external URIs pointing to other PDF files, suggesting a phishing or redirection attempt. The document body is heavily obfuscated and does not provide clear textual lures.

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bitemenewengland.com/uploads/1/3/0/2/130271217/f4fa3642.pdf
    • http://beltwayig.com/uploads/1/3/0/3/130379371/6715c3f83d1e.pdf
    • http://newyorkalternativecare.com/uploads/1/3/0/6/130604922/bonejeseki.pdf
    • http://nurhayatighazalispmwriting.weebly.com/uploads/1/3/0/2/130289508/7595483.pdf
    • http://afterall-this.com/uploads/1/3/0/5/130539129/130539129.html#john+deere+gs3+2630+manual

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011c3.bin
848ee4567e8a177d4842bcd1a0f7978f22c8d0d757e643f003eb76b88700b4ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11C3 8952 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.