Malicious PDF — malware analysis report

Static analysis result for SHA-256 225ada96d6f97232…

MALICIOUS

PDF

36.5 KB Created: 2020-04-08 19:20:09 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9e87ea001ceb58966aff7f4066ee6729 SHA-1: ddc898a83c53ea1f6e384663f7c6d7401f5d9f52 SHA-256: 225ada96d6f972320960116dcbec7a0bb8f0046d968dc525c85aecc74a6d0c11
92 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information T1204 User Execution

This PDF document was flagged by a machine learning classifier as malicious. It contains a large number of external links, many pointing to PDF files hosted on various domains, forming a link farm. The document body, though partially garbled, contains references to 'Tarjetas navideñas para preescolar' and includes URLs that are part of this link farm. The primary attack pattern appears to be directing users to a network of SEO-optimized pages, likely to distribute further malware or engage in click fraud.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mipuertapuerta.co/uploads/1/3/0/5/130539774/130539774.html#tarjetas+navide%C3%B1as+para+preescolar
    • http://twilsoft.net/uploads/1/3/0/3/130379150/6034424.pdf
    • http://gr8boat.net/uploads/1/3/0/8/130814421/pusokogex.pdf
    • http://adrenalintimor.com/uploads/1/3/0/5/130551089/dumetage-tadelejariro.pdf
    • http://richtersofatlanta.com/uploads/1/3/0/7/130776271/6a5256f56bb8c.pdf
    • http://icdrugtesting.com/uploads/1/3/0/6/130639205/rixarulojopurek_vimuxofimutun_fafurufudosule.pdf
    • http://margueritenabeta.com/uploads/1/3/1/0/131071209/8d62a9ec.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006285.bin
41b6c31ae25610d5e6fc7b56da638077e08d6d892694bccd9d021a021e84e1f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6285 9164 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.