Malicious PDF — malware analysis report

Static analysis result for SHA-256 1cce1706dc7fdb07…

MALICIOUS

PDF

39.1 KB Created: 2020-03-29 13:39:09 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9abf814fa852fea1d62e5ba71a481f0f SHA-1: 13643d755979d28e30abfaf5f6c2f19d18ee9e3f SHA-256: 1cce1706dc7fdb07429cf70850ac8b40a8f6fd2d43b154dd8a0d89173d2d124b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to other PDF files on various domains. This behavior is indicative of a link farm designed to artificially inflate search engine rankings or distribute malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the link farm heuristic.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://miracleinabucket.com/uploads/1/3/1/4/131407310/131407310.html#lista+de+verbos+irregulares+mas+usados+en+ingles+con+pronunciacion
    • http://eumid.com/uploads/1/3/1/3/131379054/c940a46c087311.pdf
    • http://paleoandthesauna.com/uploads/1/3/0/2/130271094/lodazopubisi.pdf
    • http://motherhenmusic.org/uploads/1/3/0/6/130620945/3588310.pdf
    • http://fearhouse.net/uploads/1/3/0/7/130739754/68796edfb6b.pdf
    • http://nourishwithcassi.com/uploads/1/3/0/6/130620966/kinuzesor.pdf
    • http://modestoclimatizacaoeenergiasolar.com/uploads/1/3/0/4/130476740/269fb3518.pdf
    • http://jessrikerblog.com/uploads/1/3/0/6/130639181/likazaxijokifo.pdf
    • http://randiegley.info/uploads/1/3/0/7/130739540/sivikaxoboxa.pdf
    • http://lovepetsforever.net/uploads/1/3/0/6/130620736/gaturibaris_wotawuzadukaf.pdf
    • http://trouvelefil.com/uploads/1/3/0/5/130542780/25071.pdf
    • http://swillinijaguars.com/uploads/1/3/1/3/131380183/salol.pdf
    • http://newlifelasersk.ca/uploads/1/3/0/6/130603814/fipegatati.pdf
    • http://frostedbybrayla.com/uploads/1/3/0/2/130273899/ff0d6dd.pdf
    • http://catawbafarm.org/uploads/1/3/0/7/130775630/nelufut-fepenuk-subunatosale.pdf
    • http://www.locoessentials.com/uploads/1/3/0/2/130272332/sufepifaxalebo.pdf
    • http://housebythelakephuket.com/uploads/1/3/0/6/130604258/031357ef9d12.pdf
    • http://virtualposhassistants.com/uploads/1/3/0/2/130289541/c4749f028be7f36.pdf
    • http://jay-are.com/uploads/1/3/0/2/130271114/7705341.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e27.bin
158280412aeae365cb7b3a8add1dacd5ea69847fb2705966567ade63978e0a8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E27 8428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.