Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ac8c1b9c291131a…

MALICIOUS

PDF

41.3 KB Created: 2020-03-14 17:03:38 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4f97ce61cc48e2a3f3329e3515878ccd SHA-1: a6fbbd96292ef49179933145c9f524064f3d2c51 SHA-256: 0ac8c1b9c291131a090b13e66e3dcfdbe68bc5be1c2f8928ebba0a5c74e6eeff
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The ML classifier also flagged the document as malicious with high confidence. The primary purpose appears to be directing users to a multitude of external PDF files hosted on various domains, likely for SEO manipulation or to serve as a landing page for further malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.stitchglitch.com/uploads/1/3/0/2/130270963/130270963.html#shayari+aur+photo
    • http://jandjcleaningco.com/uploads/1/3/0/5/130544938/6eb02e52.pdf
    • http://blufftonchurch.org/uploads/1/3/0/4/130488584/b0eb343d7e.pdf
    • http://neuropathydr.net/uploads/1/3/0/4/130488157/rifokodipaditokoxaz.pdf
    • http://gebl.info/uploads/1/3/0/4/130489226/146acb618415.pdf
    • http://406photoguy.org/uploads/1/3/0/4/130483558/suveregebiniluv.pdf
    • http://www.martinhegna.com/uploads/1/3/0/5/130539599/torus.pdf
    • http://lucernecountryclubrvpark.com/uploads/1/3/0/4/130479210/a0073cb410110.pdf
    • http://www.artandcommunion.com/uploads/1/3/0/5/130589158/pefitigowir.pdf
    • http://www.aabc-org.com/uploads/1/3/0/2/130287296/juvafisuvulozex_neweko_safeg_nanowikav.pdf
    • http://www.escapeinnovatorsonline.com/uploads/1/3/0/4/130483052/f922ce569772.pdf
    • http://cutcliffes.com/uploads/1/3/0/7/130740262/4768399.pdf
    • http://cpanel.northwestbengalcats.com/uploads/1/3/0/7/130775472/511619747fd37c0.pdf
    • http://sevier.me/uploads/1/3/0/3/130379466/geremu.pdf
    • http://budsmotorauctions.com/uploads/1/3/0/4/130435659/9781d2488fc756.pdf
    • http://ncahrmm.com/uploads/1/3/0/6/130620773/6148379.pdf
    • http://server65164.misscarols.com/uploads/1/3/0/5/130588345/ace445.pdf
    • http://www.guidequest.org/uploads/1/3/0/7/130775310/86ab4b0734446c.pdf
    • http://mta-sts.mail.flcv.org/uploads/1/3/1/0/131070572/6495177.pdf
    • http://www.together-events.co.uk/uploads/1/3/0/7/130739723/movapinajoma.pdf
    • http://www.kaisersolzie.com/uploads/1/3/0/7/130739243/goguxurupibimodol.pdf
    • http://www.demo.voyable.ca/uploads/1/3/0/2/130287505/seronasividelofaru.pdf
    • http://leahrainy.com/uploads/1/3/0/5/130539438/kubinotili.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008eb3.bin
e6b77fb9afdfdbfc5fd43646a23d5d5826d5c9b4810d0129127c75fedde21f8e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EB3 7356 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.