Malicious PDF — malware analysis report

Static analysis result for SHA-256 ec6dd1bd66ee238b…

MALICIOUS

PDF

36.3 KB Authoring application: Poppler-utils
MD5: e26a1c2b516ea638046b6b7318ab57b9 SHA-1: 33989c660885c252247d4bc1e9062d1e531d8d03 SHA-256: ec6dd1bd66ee238b5ca20e73b99a94c9f86de2a2e05ae0e6d5848fe2c96b1ca8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The ClamAV detection and ML classifier strongly indicate malicious intent. The PDF contains embedded URLs that likely lead to further malicious content, as suggested by the 'Pdf.Phishing.TtraffRobotInstall-7605656-0' ClamAV signature. The document body, though truncated, also contains URLs pointing to external resources, reinforcing the phishing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kakitokizever.weebly.com/uploads/1/3/0/5/130543684/2558593.pdf
    • http://raycelamb.com/uploads/1/3/0/4/130436389/2848de5d143636c.pdf
    • http://gratificationapp.com/uploads/1/3/0/2/130272362/de1dc17992.pdf
    • http://tcsonline.net/uploads/1/3/0/7/130740249/130740249.html#7+core+exercises+for+low+back+pain+%28important+%29

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000fc0.bin
33cfc5221dc4e5feb794a7f08d06d3c7595a305ed2ed90ddf5801821c220ea99		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFC0 7740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.