Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0c9bd79579a765b…

MALICIOUS

PDF

34.8 KB Authoring application: LibreOffice Draw
MD5: f97460405e7772688e97bb7981132b0d SHA-1: 0e91e792697b9d06f8ab9cda59d870cef760fc63 SHA-256: e0c9bd79579a765b901b6a85367888441d3d88ad68328d58e1fd364005970fe2
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document that contains an embedded URI pointing to a malicious PDF. ClamAV detected this file as 'Pdf.Phishing.TtraffRobotInstall-7605656-0', indicating a phishing attempt. The primary attack vector involves tricking the user into downloading a secondary malicious PDF from the provided URL.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gomawonix.ivpallet.ru/uploads/2020/01/28/wotirerebir.pdf
    • http://spanishteachersa.weebly.com/uploads/1/3/0/5/130551299/ropesijatilarifi.pdf
    • http://drtoxy.com/uploads/1/3/0/3/130313203/xasidu_watoxusino_fijilu_zudazowo.pdf
    • http://michaudwellness.com/uploads/1/3/0/5/130539886/130539886.html#time+charter+party+form

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000fc4.bin
5cdaf45db04ce3ff73135c22c12cbb0ba54d25726648d0d428f8e95752214551		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC4 7692 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.