Malicious PDF — malware analysis report

Static analysis result for SHA-256 fc69d4b35c547c07…

MALICIOUS

PDF

51.8 KB Authoring application: Adobe PDF Library 9.0
MD5: 318b698a770f9991b9414666446c5046 SHA-1: d093ce36c54e7e6192237753505798968fdc4f73 SHA-256: fc69d4b35c547c0781cae9c1108c070afc440b1bc27bbc712b459b76f7690818
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body text, though partially corrupted, mentions 'Indian income tax calculator excel sheet', suggesting a lure to disguise the malicious intent. The ML classifier and ClamAV detection strongly indicate maliciousness, with ClamAV specifically identifying it as 'Pdf.Phishing.TtraffRobotInstall'. The embedded URLs are likely used to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9997

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://goper.brazilplan.club/uploads/2020/01/29/pipoberumej-lawerotu-kogive-laxigu.pdf
    • http://nhsofdav.com/uploads/1/3/0/3/130313188/difopox.pdf
    • http://museumeats.com/uploads/1/3/0/6/130621464/5115601.pdf
    • http://misbailes.com/uploads/1/3/0/7/130776176/130776176.html#indian+income+tax+calculator+excel+sheet

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000102a.bin
f0866eeb8a31dac846dfeead9b5ed06b71bdff746efe0060af7f7d46fc507adf		 pdf-font-stream PDF embedded font (sfnt) at offset 0x102A 8624 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.