Malicious PDF — malware analysis report

Static analysis result for SHA-256 1f38c4e95e5b8e65…

MALICIOUS

PDF

44.2 KB Created: 2020-03-29 12:37:43 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b98c643feb4c6410671814ae6b301815 SHA-1: 40c9533cb36c0fc26a6b8abe49bd1ea7faa76d5d SHA-256: 1f38c4e95e5b8e656432856beddf34d17d8896d79f27aceaa70103db26d88676
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, indicating a link farm or redirection scheme. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, suggesting the document's primary purpose is to drive traffic to these numerous, likely low-reputation, URLs. The ML classifier also strongly indicates maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shardexplorers.com/uploads/1/3/0/2/130289244/130289244.html#oraciones+con+el+verbo+have+en+pasado+simple
    • http://slateriverhomeinspections.com/uploads/1/3/0/5/130590096/bepivazol_wizusidenuw_jorit_jugojefel.pdf
    • http://98citywideinvestments.net/uploads/1/3/0/3/130313561/fazedajodu.pdf
    • http://xboxunderground.com/uploads/1/3/0/5/130540193/2357541.pdf
    • http://mdp.gallery/uploads/1/3/1/4/131411147/3605193.pdf
    • http://evoenterprises.com/uploads/1/3/0/7/130738777/2796af0d470469.pdf
    • http://the-sustainables.org/uploads/1/3/0/4/130483690/polodixogize.pdf
    • http://upchagaconnections.info/uploads/1/3/0/9/130969419/jobibil-dodab-rolewanebej.pdf
    • http://cattailconstructionllc.com/uploads/1/3/0/5/130552073/b641d114.pdf
    • http://candleshack.org/uploads/1/3/0/3/130379239/c9a317e.pdf
    • http://bcbcheer.com/uploads/1/3/0/5/130550826/fikerozoj_sezoko.pdf
    • http://deewanekhaas.net/uploads/1/3/0/9/130968997/2088220.pdf
    • http://usmakingcents.com/uploads/1/3/0/2/130291463/xixirenagusogojuzup.pdf
    • http://oxaudit.com/uploads/1/3/1/3/131398322/a571a2a31f77884.pdf
    • http://shopmydarlingdragon.com/uploads/1/3/1/3/131380344/rosekegesesuzuwiko.pdf
    • http://missiontriangle.us/uploads/1/3/0/7/130739101/lerilefukafut.pdf
    • http://suvivorsisterspendant.com/uploads/1/3/0/4/130483329/zuvinakafemarafasi.pdf
    • http://three54.com/uploads/1/3/0/5/130539935/nenozed.pdf
    • http://dorishamer.de/uploads/1/3/0/3/130379363/xikanemikodovo_bugirumixubuxek_fogifaliselo.pdf
    • http://zastrowtutoring.com/uploads/1/3/0/7/130775987/2892843.pdf
    • http://www.cbcsomerset.com/uploads/1/3/0/8/130874366/wulabup-jotadajog-rerexobiwi-vezetubadanit.pdf
    • http://louisaanderic.com/uploads/1/3/0/4/130476878/9266573.pdf
    • http://propertyresolvednow.com/uploads/1/3/0/6/130640078/tazegujizuj_nejatilomukik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000080b9.bin
791bd4cd1824eaaf5fab860833b83a08772f08bec859e21304d328a28cc59d44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80B9 8948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.