Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c6502fef2ef4d37…

MALICIOUS

PDF

45.5 KB Created: 2020-05-21 19:51:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b2a2ba9a2a98b804c50126fe3afd2750 SHA-1: d3c3eb976dbfe89ddea6226bc14c45ce5446a660 SHA-256: 1c6502fef2ef4d37b9ad4f19694c62690e85e74ffd3fa678ddffb3995daf04dc
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which are hosted on unrelated domains and appear to be part of a link farm. The document body text, though partially corrupted, includes a lure related to 'House md season 5 episode 6 watch online' and references the wkhtmltopdf tool, suggesting it was generated programmatically. The primary goal appears to be directing users to malicious or spam content via these numerous links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-76-227.mgwnet.com/uploads/1/3/0/4/130476171/130476171.html#house+md+season+5+episode+6+watch+online
    • http://shortroundapparel.com/uploads/1/3/0/8/130873961/berilaweroforonelumi.pdf
    • http://msc-studio.com/uploads/1/3/0/6/130603941/pudaladorora.pdf
    • http://thepowerofourwords.com/uploads/1/3/0/5/130539179/7786a08a07f87.pdf
    • http://thousandhillscateringservices.com/uploads/1/3/0/8/130813866/powefekololidotulapa.pdf
    • http://theencoreclean.com/uploads/1/3/1/3/131398129/dibofaxiloz_febesiko.pdf
    • http://jbservicios.net/uploads/1/3/1/6/131606603/3662128.pdf
    • http://usaglobalinstitute.org/uploads/1/3/0/2/130289460/820643.pdf
    • http://roes-legal.com/uploads/1/3/0/4/130478551/a7ff5bee43b.pdf
    • http://localmarketingprofits.com/uploads/1/3/0/6/130620484/df6fb.pdf
    • http://cashperformance.fr/uploads/1/3/1/1/131164455/8210436.pdf
    • http://ibookedmytrip.com/uploads/1/3/0/7/130739341/76c3a95b66a146.pdf
    • http://hkshax.com/uploads/1/3/0/2/130272955/1c8e2.pdf
    • http://redwoodphysio.com/uploads/1/3/0/3/130323900/nalij.pdf
    • http://smithtownoptical.net/uploads/1/3/0/6/130604657/tazobanosimit.pdf
    • http://jenthrasheratl.com/uploads/1/3/1/4/131408248/nuzulisagar.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000872b.bin
77ef02633fd50f4df34db2cc0ea9cd15286fc0f658f1177d525e70e005ec2e4c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x872B 10272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.