Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec0a8556db635cac…

MALICIOUS

PDF

35.4 KB Authoring application: LibreOffice Draw
MD5: 1cffc4f691733ae60f17151684dc3a0e SHA-1: d4ef4763d93bd2569a09eb37bb3ea69641f7e802 SHA-256: ec0a8556db635cacfb3195dcc67cd96458e65dec6b50b6e3f43fa2b63af93302
92 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains multiple embedded URIs pointing to external PDF files. The ClamAV detection 'Pdf.Phishing.TtraffRobotInstall-7605656-0' and the ML classifier strongly indicate malicious intent, likely for phishing or malware distribution. The document body text appears to be corrupted or irrelevant, providing no direct clues to the lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://painfuljoint.org/uploads/1/3/0/6/130621158/ebb23b7988.pdf
    • http://damouretdesucre.com/uploads/1/3/0/3/130379105/nezunomizix.pdf
    • http://oregonprenup.com/uploads/1/3/0/5/130539016/55cf2cd422.pdf
    • http://davidmarquesibanez.com/uploads/1/3/0/6/130639493/130639493.html#hip+labrum+tear+pt+exercises

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000faa.bin
11eb8638f7e03c8bcf4f2175e5da418aa4cc71d580478539390d3d8cf7d0e0f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFAA 8368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.