Malicious PDF — malware analysis report

Static analysis result for SHA-256 a74d4cdc57161dd8…

MALICIOUS

PDF

31.4 KB Authoring application: pdf-parser
MD5: aab3942075a2c99d080e9b3cf0e3da63 SHA-1: 9d9fab0ebab87fd407d0bf1274df11e7fd542306 SHA-256: a74d4cdc57161dd85bfd2c689c8a33621d2aa7a19c066ee58f395ebe0d20d83c
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, as malicious. The critical PDF_SEO_LINK_FARM heuristic indicates a large number of embedded external links, with deviseagency.com being the dominant host. This suggests the document is designed to redirect users to potentially harmful content, likely for phishing or malware distribution. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://deviseagency.com/uploads/1/3/0/4/130477278/vutigon.pdf
    • http://m2d-design-interieur.com/uploads/1/3/0/4/130476984/fovikatosid_sotutomuvagi_sotatefuk.pdf
    • http://caninesandkilos.net/uploads/1/3/0/5/130545382/9484799.pdf
    • http://saritelpner.com/uploads/1/3/0/3/130323445/nalenemomege-xafapinasadatu-powiguxiz.pdf
    • http://mygosolartoday.com/uploads/1/3/0/6/130622063/8218113.pdf
    • http://slukappasigma.com/uploads/1/3/0/5/130538869/ruxekilavif-sikedirap.pdf
    • http://sdhockey.ca/uploads/1/3/0/7/130740597/bulodaziduxevejatil.pdf
    • http://amudyomi.net/uploads/1/3/0/3/130323172/9667870.pdf
    • http://mudtires.ca/uploads/1/3/0/5/130590336/ded90ecfbe4737.pdf
    • http://pavanmehat.com/uploads/1/3/0/5/130551339/rusikasofulixev-gerif.pdf
    • http://reikijan.com/uploads/1/3/0/7/130776180/suxakepewolovekimafe.pdf
    • http://newperspectivemedical.com/uploads/1/3/0/4/130490151/130490151.html#rustler+4x4+vxl+manual

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00001281.bin
5d34300cac0099c5f255e590cb6f20edc7b94701bf0e0dbe29e1b2134d7d9b91		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1281 8604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.