Malicious PDF — malware analysis report

Static analysis result for SHA-256 19bd1d1e45197577…

MALICIOUS

PDF

58.8 KB Created: 2020-03-22 10:11:09 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 97a2c7bc53fde28cc02ae6f2ebe75859 SHA-1: 398c51fea7be4c91b8f14397655ea20fce345478 SHA-256: 19bd1d1e45197577c6ab55ca50eb25a0dbe0ce2bc794847d53f7766b14a0c40d
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The primary lure appears to be a document titled 'Resumen de etica para adolescentes posmodernos', which directs users to a chain of further PDF links. The ML_NYX_PDF_MALICIOUS heuristic strongly indicates malicious intent. No scripts were extracted from this sample, and the attack relies solely on the redirection to numerous external URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jenntreado.com/uploads/1/3/0/5/130550750/130550750.html#resumen+de+etica+para+adolescentes+posmodernos
    • http://l-arginine-supplement.com/uploads/1/3/0/2/130288565/8130050.pdf
    • http://sterilesupplies.com.au/uploads/1/3/0/2/130289411/8703f3f27.pdf
    • http://www.robsrantsrapsandrenderings.com/uploads/1/3/0/8/130874583/eb7c451.pdf
    • http://mail.grawer.stargard.pl/uploads/1/3/0/5/130551907/701315.pdf
    • http://vapeoholicny.com/uploads/1/3/0/6/130620520/zimadevizavudos.pdf
    • http://lightspeedpioneers.com/uploads/1/3/0/8/130873907/7a8891.pdf
    • http://webmail.dianeunderhill.com/uploads/1/3/0/5/130589160/karefejepuwoviloki.pdf
    • http://diaperqueendeals.com/uploads/1/3/0/5/130588214/4de8488a953.pdf
    • http://heuristicdata.net/uploads/1/3/0/7/130776408/8705425.pdf
    • http://stephandanton.com/uploads/1/3/0/4/130483811/6544494.pdf
    • http://www.theboothlife.com/uploads/1/3/1/1/131163959/6586101.pdf
    • http://uaeodoo.com/uploads/1/3/0/8/130873916/gakelo.pdf
    • http://carolinabluelady.com/uploads/1/3/0/5/130551053/6eae281403.pdf
    • http://www.coreydennison.net/uploads/1/3/0/6/130639835/4231500.pdf
    • http://miamfoundation.com/uploads/1/3/0/3/130313504/tuvitutulepu.pdf
    • http://www.wholesalecbdblunts.com/uploads/1/3/0/6/130604379/6917722.pdf
    • http://bugexhibit.com/uploads/1/3/0/5/130540097/94e899a.pdf
    • http://www.parking-aeroport-geneve-cointrin.ch/uploads/1/3/0/7/130775808/dokuruxebino_xofukud.pdf
    • http://firstmam.com/uploads/1/3/0/4/130488197/zakikaxodedawepava.pdf
    • http://www.johnkeighranplumbing.com.au/uploads/1/3/0/6/130640194/funilaxurugur.pdf
    • http://chipinc.org/uploads/1/3/0/7/130740374/e311de.pdf
    • http://reteish.com/uploads/1/3/0/8/130873779/lelafered.pdf
    • http://risingskyweddings.com/uploads/1/3/0/5/130551935/tuloratoso.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000bada.bin
c8bc772ccf6f1a7218c0ac5fb59c885d055c5101ea6e6df9901fbe9bce2b783c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBADA 9652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.