Malicious PDF — malware analysis report

Static analysis result for SHA-256 6902a1e7e77346dd…

MALICIOUS

PDF

51.0 KB Authoring application: SWFTools
MD5: 9c2f6c8bc646457accd3b1398efe7674 SHA-1: f7dca40695a21600b2666470a942248a9b2a93d4 SHA-256: 6902a1e7e77346dd3dcb09660166451ce33406656994ff07779fcf259a42f4be
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded links to other PDF files, a technique often used in SEO spam or phishing campaigns to distribute malicious content. The document body mentions Android updates for Huawei devices, a common lure. ClamAV detection and ML classification strongly indicate malicious intent, likely related to distributing further malware or phishing content via the linked PDFs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://molletenglishconsulting.com/uploads/1/3/0/6/130639669/5286433.pdf
    • http://singaporehiking.org/uploads/1/3/0/3/130379147/fexetabewoju-nomisi.pdf
    • http://drmsanchez.com/uploads/1/3/0/4/130436234/rovisavuzesavubisa.pdf
    • http://clarkseedsllc.com/uploads/1/3/0/7/130738701/jarok.pdf
    • http://bdcglobalpng.com/uploads/1/3/0/3/130313319/5589806.pdf
    • http://vernalinzey.com/uploads/1/3/0/6/130620345/sitekibelezorof.pdf
    • http://playingsuperhereos.com/uploads/1/3/0/5/130539170/76c1df3f4.pdf
    • http://arlingtoncarpetcleaner.com/uploads/1/3/0/7/130775280/130775280.html#android+oreo+za+huawei+mate+10+lite
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000011cc.bin
40f255e141de5c5aba9ebb80a60387e6ddbaa09b91a58e92e162ea3f10df63f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CC 9904 bytes
font_01_sfnt_off00008391.bin
345db63e4d973f7eae96fcab6f3188cbc45e0530e6248af78f8a7a5aeaf112d0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8391 5960 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.