Malicious PDF — malware analysis report

Static analysis result for SHA-256 24ada7c6b057eb01…

MALICIOUS

PDF

44.5 KB Created: 2020-03-21 12:23:16 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 05f555b2afb090162032e7b64f98fe2d SHA-1: 8460ae46eec099c797c53a6fcc70045d2fba8ee9 SHA-256: 24ada7c6b057eb01952f53c14d88b23e0dc50bcde6756c3ca49cc480a122d690
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links pointing to various domains, indicating a link farm or SEO spamming operation. The ML classifier strongly flagged this PDF as malicious. The primary attack pattern involves directing users to these external resources, which could host further malicious content or phishing attempts. No scripts were extracted, limiting the analysis of direct payload execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thecircleseven.com/uploads/1/3/0/4/130483990/130483990.html#rectas+paralelas+perpendiculares+y+secantes+wikipedia
    • http://1105northfield.com/uploads/1/3/0/9/130969440/kasiwawefuwakobusow.pdf
    • http://scholarlyrepository.net/uploads/1/3/0/5/130588195/6f2e4ccdb.pdf
    • http://livingoutofthisworld.com/uploads/1/3/0/5/130551856/fa50c0e5892d94f.pdf
    • http://bpkwoodwork.com/uploads/1/3/0/3/130312998/94d9dbd3ad.pdf
    • http://rak12library.org/uploads/1/3/0/6/130604519/vopudojokufuvewolawo.pdf
    • http://progressiveastronomy.org/uploads/1/3/0/5/130543272/bepejo.pdf
    • http://mrspiacentini.com/uploads/1/3/0/7/130776519/2cc6a04.pdf
    • http://www.vjencanica.net/uploads/1/3/0/5/130541688/9452564.pdf
    • http://dmaeguidance.com/uploads/1/3/0/6/130621719/86a50506660106e.pdf
    • http://puppyrapsheet.com/uploads/1/3/0/8/130874380/vujazonuwelut.pdf
    • http://www.miamipalmetto68reunion.com/uploads/1/3/0/6/130640209/nagusenotiseroga.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e63.bin
7991a6d5c98cde963f670890018737d6de7f79db588d897bcafdd5451eee9976		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E63 8748 bytes
font_01_sfnt_off00008e6b.bin
07a7dfe061a0787c7970a74e4b12631504d891ec63ab0e7fded75e25f4d07d99		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E6B 16296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.