Malicious PDF — malware analysis report

Static analysis result for SHA-256 1c8904d694b83673…

MALICIOUS

PDF

47.5 KB Created: 2020-03-25 06:46:12 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bdd35f7ebd2a92e01e508809703b94b0 SHA-1: 7191c666a9d9416a0ef733a255a92388b6aa668d SHA-256: 1c8904d694b8367301c8d2ee81f3e360f8f67d751cec962e5e611b4ad012c7f9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF file was flagged by a machine learning classifier as malicious. It contains a large number of external links, many pointing to numeric slugs on the 'bettabowls.com' domain, indicating a link farm or SEO spam tactic. The document body contains garbled text and a URL that appears to be the primary lure, directing users to a network of sites hosting other PDFs. No scripts were extracted, and the primary malicious activity appears to be the redirection to external malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://waxhawcottages.com/uploads/1/3/0/6/130621102/130621102.html#metodo+grafico+de+singapur+6+pdf+gratis
    • http://bettabowls.com/uploads/1/3/0/4/130483198/bolodated.pdf
    • http://www.bluestockpm.com/uploads/1/3/0/3/130323115/fejeziz-papuvi.pdf
    • http://southernautomationandsafety.com/uploads/1/3/1/0/131069991/7218255.pdf
    • http://www.raapremiereproperties.com/uploads/1/3/0/2/130291939/9272493.pdf
    • http://leatherlark.com/uploads/1/3/0/4/130435943/vuxuneleji_xuzetobexej_linajuf.pdf
    • http://teamvip.pink/uploads/1/3/1/0/131070044/4791377.pdf
    • http://chikisima.com/uploads/1/3/0/2/130272470/dovizasibobi.pdf
    • http://ruffneckscarveswholesale.com/uploads/1/3/0/6/130639266/c491736669d2.pdf
    • http://vidacoral.company/uploads/1/3/0/7/130775752/3284010.pdf
    • http://www.360.manhattan-hs.org/uploads/1/3/0/6/130639815/gusafavise.pdf
    • http://nhantienquocte-vn.online/uploads/1/3/0/6/130621630/gumil.pdf
    • http://violainedompierre.com/uploads/1/3/0/6/130604556/2617195.pdf
    • http://www.auxiliax.com/uploads/1/3/0/8/130814803/lopomekuniga.pdf
    • http://realwebstack.com/uploads/1/3/0/3/130379575/276700.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b47.bin
5d6f8cde49f47f14ac18e5ab1a34f3cac3ecb84f406ddfdb7a7a7f89ff779b01		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B47 10092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.