Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7e0e20ed0e650fb…

MALICIOUS

PDF

58.2 KB Authoring application: QPDF
MD5: aec70a4bbae3e5ea24cbea827825e9c4 SHA-1: 22c126ceed71110400f9b96e1f50e7904106c473 SHA-256: e7e0e20ed0e650fbea6b7567f2dd92ff65c14b02244553180b839ed129945067
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The file is a PDF document that contains embedded URLs pointing to other PDF files. The document body text, though partially garbled, includes references to academic content ('Makalah rotifera pdf') and the QPDF application, suggesting a lure to download further malicious content. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely related to phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://istartlocal.net/uploads/1/3/0/2/130287881/xigini.pdf
    • http://kavkaz-car.ru/uploads/2020/01/28/kuwinoja.pdf
    • http://royalanimals.com/uploads/1/3/0/2/130271126/3bc9a11a1be.pdf
    • http://ne-surgerycenter.net/uploads/1/3/0/4/130435650/totukivire.pdf
    • http://misbailes.com/uploads/1/3/0/6/130621677/130621677.html#makalah+rotifera+pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000faf.bin
95c79ca4ad08664ee02c9c7bbb64f0693ac7805fda01f5516c5f9ab91562c84d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAF 8264 bytes
font_01_sfnt_off000095f7.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x95F7 16036 bytes
font_02_sfnt_off0000aa0e.bin
be5fd3f1615430fc1ef0ed64bbfc1c930ec1f85a196f6d1d2d24b7acd1bb9f5b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA0E 2596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.