Malicious PDF — malware analysis report

Static analysis result for SHA-256 25c25ffc3f050b50…

MALICIOUS

PDF

42.0 KB Created: 2020-06-06 14:20:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: aff106fae1d6b64594d2afa1e38aa972 SHA-1: eef4f7ef89584c10fa3016fe2911e7a795d779bc SHA-256: 25c25ffc3f050b502bda1feaf20ddb725d3db12511a9e49861644e2050d9e398
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF documents hosted on different domains. The ML_NYX_PDF_MALICIOUS heuristic also flagged the file with high confidence. The primary attack pattern appears to be a link farm designed to distribute content or manipulate search engine results, potentially leading users to malicious sites or further malware downloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://metamorphos.marketingfactorygroup.com/uploads/1/3/1/4/131407061/131407061.html#tout+ce+qu%2527+il+voudra+pdf
    • http://mta-sts.mail.brinkers.nl/uploads/1/3/1/0/131069860/6638171.pdf
    • http://sewbusy.net/uploads/1/3/1/1/131163960/pitezotowemisunaz.pdf
    • http://growatliveoak.com/uploads/1/3/1/4/131407511/995ec9bcd506a.pdf
    • http://tracyfriarsconsulting.com/uploads/1/3/0/7/130740371/wukufuvizozam.pdf
    • http://zeki-turan-sculptor.com/uploads/1/3/0/9/130969426/kisimokumamugev.pdf
    • http://kuddoodles.com/uploads/1/3/0/5/130588754/6636607.pdf
    • http://tiagomasluka.com/uploads/1/3/1/1/131164048/4896f0.pdf
    • http://snohomishvalleygrill.com/uploads/1/3/0/9/130969897/parawilujef.pdf
    • http://metamorphos.marketingfactorygroup.com/uploads/1/3/1/4/131407061/terms.html
    • http://metamorphos.marketingfactorygroup.com/uploads/1/3/1/4/131407061/dmca.html
    • http://metamorphos.marketingfactorygroup.com/uploads/1/3/1/4/131407061/policy.html
    • https://jazasugi116120722.files.wordpress.com/2020/06/darakib.pdf
    • https://zafuzox.files.wordpress.com/2020/06/fumabanevokajimuvepe.pdf
    • https://bapajuzo936771123.files.wordpress.com/2020/06/fepup.pdf
    • https://lonejimi.files.wordpress.com/2020/06/93424901685.pdf
    • https://nopobulaz.files.wordpress.com/2020/06/46498985640.pdf
    • https://xafavuk.files.wordpress.com/2020/06/30994402109.pdf
    • https://tukowux456936723.files.wordpress.com/2020/06/fokuturanujew.pdf
    • https://domunilide.files.wordpress.com/2020/06/vuxixinukitesuk.pdf
    • https://weberex.files.wordpress.com/2020/06/106574498.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000075ed.bin
8e2ddd45f659986aca7b5d11ee100e858a2c2a3406a1607a7532382afaa206fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75ED 11680 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.