Malicious PDF — malware analysis report

Static analysis result for SHA-256 9201a1e201df3c1b…

MALICIOUS

PDF

29.3 KB Authoring application: SWFTools
MD5: dbb488be875f55edb5aa2db15854e545 SHA-1: 9d713893b645da4cfe76564b567939a11b41af2d SHA-256: 9201a1e201df3c1bd96a014e3ccf7e962fc20dfe8126ddfe09b0c1f9e1209398
150 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by multiple heuristics, including ClamAV and an ML classifier, indicating malicious intent. The PDF_SEO_LINK_FARM heuristic specifically identified a large number of external links embedded within the document. These links, such as http://adentanewzealand.com/uploads/1/3/0/6/130620585/0477cc036441.pdf, are likely used to redirect users to phishing sites or download further malicious content. The presence of these links is the primary driver for the attack pattern and confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adentanewzealand.com/uploads/1/3/0/6/130620585/0477cc036441.pdf
    • http://nwlaautomationgroup.com/uploads/1/3/0/5/130550698/mizezikuduzo-fapiremodipuvup.pdf
    • http://mishakaura.com/uploads/1/3/0/6/130621457/zakusixotenukededemu.pdf
    • http://djsacademy.com/uploads/1/3/0/7/130738658/130738658.html#hip+labral+repair+protocol+uw

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000fcf.bin
c6c9542022f3564e3daf5bca67d6afa60c7a6e35188690ec32bd40398c3495ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFCF 8244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.