Malicious PDF — malware analysis report

Static analysis result for SHA-256 e0ca2a367b9ca23d…

MALICIOUS

PDF

38.7 KB Authoring application: LibreOffice
MD5: 332d53b2b68e5311521614974e87f661 SHA-1: 870558d93a1e963d7e2bc7849456a0c1c4790bff SHA-256: e0ca2a367b9ca23d6cd35f65203a2bba446fb1d817cae9cc6e89d3baf3e6dcb9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The file is a PDF document that contains multiple embedded URLs, all of which are flagged as unknown reputation. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely phishing. The document body, though heavily obfuscated, also contains some of these URLs, reinforcing the lure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://universalfrequencies.com/uploads/1/3/0/7/130776162/6338741.pdf
    • http://universityonlinedegree.info/uploads/1/3/0/2/130270912/rujijuxikejev-legipeviradoku-kowurowibepe.pdf
    • http://mikewilbanks.com/uploads/1/3/0/6/130639476/rukaru.pdf
    • http://stakemywallets.com/uploads/1/3/0/3/130313366/6b64cce983da.pdf
    • http://woodlandswomensexpo.com/uploads/1/3/0/7/130776211/kewuxe-vufimemowobot-pukeg.pdf
    • http://miracleinabucket.com/uploads/1/3/0/5/130589099/130589099.html#convert+polar+coordinates+to+rectangular

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001103.bin
9b1fd5e6d51da378a5cf1f478573102ed6932549550b82690feeeda8c60f51f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1103 8344 bytes
font_01_sfnt_off00005bdb.bin
11eff0542ee112a7a4f3d5fa86892f13f7f7c80edb17354215cea33bb7714487		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BDB 2768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.