Malicious PDF — malware analysis report

Static analysis result for SHA-256 49c74ff0529f715f…

MALICIOUS

PDF

43.7 KB Authoring application: Inkscape
MD5: 311dbe04ed62026cb3b3bc31258280d5 SHA-1: 08a0b4ded2bd40cf40348cd75f0780b581d49296 SHA-256: 49c74ff0529f715f6e20cf47a0bf598faa2c5d58cd5295b968a08cb211c28621
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection tactic. The ML classifier and ClamAV detection strongly indicate malicious intent, specifically identified as phishing. The document body, though partially corrupted, contains text related to 'Infective acute gastroenteritis treatment' and includes embedded URLs, reinforcing the phishing lure. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://creartivemedia.com/uploads/1/3/0/6/130621285/gujura.pdf
    • http://ndhomesinc.com/uploads/1/3/0/3/130323146/fefow.pdf
    • http://iconftx.com/uploads/1/3/0/6/130621293/rejativafatisitadiz.pdf
    • http://kylaconner.com/uploads/1/3/0/6/130620168/gofugis.pdf
    • http://saffronskyphotography.com/uploads/1/3/0/6/130604682/werunanamaper.pdf
    • http://neobyapps.com/uploads/1/3/0/6/130604750/3d40180da1.pdf
    • http://nargis.net/uploads/1/3/0/5/130544118/taxetupurapez-goluni-mejuk-pupufekipibidar.pdf
    • http://msexcelplus.com/uploads/1/3/0/6/130620919/3469668.pdf
    • http://nupelicanparty.org/uploads/1/3/0/5/130547340/130547340.html#infective+acute+gastroenteritis+treatment

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000115d.bin
ff8736e45df2e065a0ca7ebf2cdede8bd6434d1b7a9dd3ce57bd6185567630ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x115D 8076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.