Malicious PDF — malware analysis report

Static analysis result for SHA-256 22cdcec00e38dcf1…

MALICIOUS

PDF

26.4 KB Authoring application: PDF Studio
MD5: ce76dfdf8889b88804f5c2b798707acf SHA-1: 3c03311e405edcfee6f344f222e7390a052ab4d7 SHA-256: 22cdcec00e38dcf155d5618d186854347f761d13674ed3828d853fcd0db97bce
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of embedded external links, a technique often used for SEO poisoning or to distribute further malicious payloads. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. The document body is heavily obfuscated and contains what appears to be corrupted text, preventing a clear understanding of its specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mta-sts.mx.northhaydenstorage.com/uploads/1/3/0/7/130739817/wuxejar.pdf
    • http://aaronjchandler.com/uploads/1/3/0/7/130740174/jixepalufaletilafa.pdf
    • http://denvermetroprotocols.org/uploads/1/3/0/3/130323517/razebowejobugodaz.pdf
    • http://www.thelaywarrior.com/uploads/1/3/0/6/130620948/wotubosewixizaxo.pdf
    • http://instathemes.com/uploads/1/3/0/4/130488476/dobidivebu.pdf
    • http://audioimageryinc.com/uploads/1/3/0/3/130313491/5160982.pdf
    • http://confirmationiscool.com/uploads/1/3/0/5/130590714/rumetileko_kuvusivew.pdf
    • http://www.socialqcorps.com/uploads/1/3/0/4/130435637/b3f62.pdf
    • http://privatepracticenow.com/uploads/1/3/0/6/130604317/kipaw_nimagogukodaz.pdf
    • http://salinastowing.com/uploads/1/3/0/3/130313150/9120827.pdf
    • http://yifaguojiyulezaixian.f18.ebkf.org/uploads/1/3/0/3/130313299/bolimetoda.pdf
    • http://jsmythwordpressdesigns.club/uploads/1/3/0/3/130379675/dotiwibixeve_galumadotugel_xumubumodofo_mevipegutejezuf.pdf
    • http://nirvanaeventlighting.com/uploads/1/3/0/4/130436058/sowagosi.pdf
    • http://mikhaelbassilli.com/uploads/1/3/0/7/130740414/4049136.pdf
    • http://twomargaritas.com/uploads/1/3/0/5/130588256/wumalevobog-juwigugexafotol-jexame-buliwalasa.pdf
    • http://courcheveltransferts.com/uploads/1/3/0/5/130589160/5540192bb7d3.pdf
    • http://mta-sts.mx.saint-tims.org/uploads/1/3/0/3/130323213/5be196fed77bf04.pdf
    • http://animatedemergencyresponse.com/uploads/1/3/0/7/130740612/welexi_pudeji_vafezo_farutad.pdf
    • http://taiyangchengwangshangyulecheng.br3h.com/uploads/1/3/0/5/130588363/2437864.pdf
    • http://porkinc.net/uploads/1/3/0/7/130775950/9013504.pdf
    • http://ndhumanities.com/uploads/1/3/0/6/130621532/378327.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00003817.bin
733830a4e02930196d4daed1f34741586d9338a258a60342690353257cb6f818		 pdf-font-stream PDF embedded font (sfnt) at offset 0x3817 7824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.