Malicious PDF — malware analysis report

Static analysis result for SHA-256 23957c17a708c70e…

MALICIOUS

PDF

95.9 KB Created: 2020-03-22 14:10:59 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bf0240aff76c87c889f407a19b3d2d60 SHA-1: d0411de1a94f3034fb9734c476eef7873e4f8f02 SHA-256: 23957c17a708c70e78077709cae004109f7b3d00fc88650b81db5c74ff2680dc
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body, though heavily obfuscated, contains references to "Niv 1984 bible pdf" and the authoring application, suggesting a lure to attract clicks. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious link farm attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://inlandcbd.com/uploads/1/3/0/6/130621164/130621164.html#niv+1984+bible+pdf
    • http://urgoodenough.org/uploads/1/3/0/2/130291785/a064ac68.pdf
    • http://www.shieldme.co.uk/uploads/1/3/0/4/130491757/84c9596e5dc6c0f.pdf
    • http://www.annesklinikk.no/uploads/1/3/0/6/130604110/686091.pdf
    • http://susu.rocks/uploads/1/3/0/3/130379561/431863.pdf
    • http://excelscaffoldhire.com/uploads/1/3/0/7/130739772/7f0acb8ac40.pdf
    • http://www.bubadii.com/uploads/1/3/0/6/130640142/tasolix-fawira.pdf
    • http://silentsoldierholsters.com/uploads/1/3/0/7/130775797/6273942.pdf
    • http://beyondbasicblack.net/uploads/1/3/0/7/130776514/bagavenufa.pdf
    • http://www.karate4free.com/uploads/1/3/0/9/130969831/mivapajusesop.pdf
    • http://www.waggintailsfun.com/uploads/1/3/0/8/130813077/bddd5.pdf
    • http://mikelscottart.com/uploads/1/3/0/3/130323120/retixizemo.pdf
    • http://www.thechefonice.com/uploads/1/3/0/5/130589450/teziwoni-gukobu.pdf
    • http://handyasiain.com/uploads/1/3/0/7/130775169/zabisitanir_madexazeg_sasewimurobewe_komalijozobosux.pdf
    • http://asmall.shop/uploads/1/3/0/2/130289291/d1819f63bd30.pdf
    • http://peelerapp.com/uploads/1/3/0/3/130379266/8f7eedbbb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001519c.bin
17835f108621281bebcfbec911fed82bcc73768610a537d9a0b6202a37e702d5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1519C 7948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.