Malicious PDF — malware analysis report

Static analysis result for SHA-256 20cb3fb24fbd0c3c…

MALICIOUS

PDF

44.5 KB Created: 2020-03-17 12:41:14 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c1830b766ba268e8c0dc4e3b852bc29f SHA-1: 86f4faf414684f26ad28e5f6094424a161a8e919 SHA-256: 20cb3fb24fbd0c3ccaff2b7639806a3e7bb1b2d4563a20a10ddd2d6ef18bc5d8
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to other PDF files hosted on various domains. This technique is often used for SEO spam or to distribute malware. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. No scripts were extracted, but the sheer volume of outbound links suggests a malicious intent to redirect the user to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artventureart.com/uploads/1/3/0/5/130539446/130539446.html#geografia+4to+grado+libro
    • http://emmadaffern.com/uploads/1/3/0/7/130739368/305876.pdf
    • http://cash4goldcp.com/uploads/1/3/0/7/130775365/6576301.pdf
    • http://werunanalytics.net/uploads/1/3/0/9/130969473/muwipiluxulob-fidafadoxapaka-tabepofapu.pdf
    • http://www.sh-equestrian.com/uploads/1/3/0/5/130551523/benenovebofemo.pdf
    • http://2xch.com/uploads/1/3/0/3/130313005/juratez.pdf
    • http://autodiscover.stmartindp.com/uploads/1/3/0/9/130969851/3741947.pdf
    • http://my-gama.com/uploads/1/3/0/7/130776034/9cdca4a1515ea.pdf
    • http://bringitchatt.com/uploads/1/3/0/5/130538923/d1ed1bd8bfaa.pdf
    • http://www.ayeshadavar.com/uploads/1/3/0/8/130813668/f95ab.pdf
    • http://completecarechiropractictables.com/uploads/1/3/0/5/130541745/6cbed.pdf
    • http://scdhhtranstion.com/uploads/1/3/0/2/130272548/1905789.pdf
    • http://votevandenboom.com/uploads/1/3/0/4/130488773/c7f1325cab790ac.pdf
    • http://simplydavinebathandbody.com/uploads/1/3/0/6/130605442/8877699ae3.pdf
    • http://remote.solonchamber.com/uploads/1/3/0/5/130539518/9179298.pdf
    • http://clearfieldbc.com/uploads/1/3/0/4/130488569/gadolaxetog.pdf
    • http://mail.thegeniewithin8.com/uploads/1/3/0/7/130776688/4559574.pdf
    • http://www.teacher-lounge.com/uploads/1/3/0/7/130739371/kagofomemivozu_waliw.pdf
    • http://pathfinder-health.info/uploads/1/3/0/5/130551160/bexinaxemax.pdf
    • http://groupejobinassurances.com/uploads/1/3/0/2/130287992/6310926.pdf
    • http://sirehealthcare.com/uploads/1/3/0/6/130605069/volurovemir.pdf
    • http://webdisk.scottpreciousmetals.com/uploads/1/3/0/6/130640159/d9435e26.pdf
    • http://erostangmusic.com/uploads/1/3/0/9/130969910/442509.pdf
    • http://www.hasyukabehakutoksengjoswakaka.com/uploads/1/3/0/6/130620838/nudokixitawu.pdf
    • http://elitefxacademy.net/uploads/1/3/0/4/130475925/tuniragitab.pdf
    • http://mx.modestocigars.com/uploads/1/3/0/5/130544938/8941a.pdf
    • http://mx.modestocigars.co
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063f3.bin
431ed41683a680a2c82e757473d9213373bdf2d68f0bd65a21c6abe27a072808		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63F3 8476 bytes
font_01_sfnt_off00008341.bin
d907c570f1f8f2d62f38d7529dbf77de46ca3a1917ec53aca7a78bae59874b04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8341 2616 bytes
font_02_sfnt_off00008c75.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C75 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.