Malicious PDF — malware analysis report

Static analysis result for SHA-256 279f16a1d170dfe1…

MALICIOUS

PDF

43.5 KB Created: 2020-03-15 00:59:38 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b5b2bc8f2ef3075090aa097dd90f8f42 SHA-1: 25361129906568a0c677b31dd88f28c94a71a93c SHA-256: 279f16a1d170dfe13a43d0b440432f2a2911d6b6cf800a1d481bedd5c7af8a5f
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains numerous external links, a common tactic for SEO poisoning and phishing lures. The document body mentions 'Aljazeera tv app', likely a pretext to entice users to click on the embedded malicious URLs. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm designed to manipulate search engine results.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wcd-ggtd2i7.mgh-r.ch/uploads/1/3/0/6/130621165/130621165.html#aljazeera+tv+app
    • http://royalhawaiiantanning.com/uploads/1/3/0/7/130775186/4792513.pdf
    • http://ridgelineohio.com/uploads/1/3/0/2/130272918/4361ea77072bb9.pdf
    • http://wartskicuratedpieces.com/uploads/1/3/0/6/130639456/nixine.pdf
    • http://cpanel.ronileegallery.com/uploads/1/3/0/2/130291441/firizi.pdf
    • http://jwlknives.com/uploads/1/3/0/4/130488631/valuwijoz.pdf
    • http://septictanksomaha.com/uploads/1/3/1/1/131163516/9416778.pdf
    • http://djrockyjr.stream/uploads/1/3/0/2/130287893/3139570.pdf
    • http://mx.sunnyheightsretrievers.com/uploads/1/3/0/7/130738625/2431021.pdf
    • http://www.nationcreativellc.com/uploads/1/3/0/7/130739938/xonakoded.pdf
    • http://colleencochran.com/uploads/1/3/0/2/130270781/gupefu.pdf
    • http://textilespreserved.com/uploads/1/3/0/4/130488631/bixubeganute_gizijus_vokopuresejuve.pdf
    • http://dunnsdesigns.com/uploads/1/3/0/4/130483830/filubexuguponub.pdf
    • http://awarriorwoman.net/uploads/1/3/0/7/130739944/pujod_nadafenenap_xesatoxa.pdf
    • http://alextindall.net/uploads/1/3/0/2/130271219/9b9be23.pdf
    • http://jcleskoasueportfolio.com/uploads/1/3/1/0/131070911/xobama-nekukupezepip-zaxuxeb-werozajivase.pdf
    • http://www.skypriestess.com/uploads/1/3/0/6/130605393/459354.pdf
    • http://mail.kashisafaris.com/uploads/1/3/0/8/130873875/kijamowifipuj.pdf
    • http://www.smartphonetripod.com/uploads/1/3/0/8/130813722/9005327.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007733.bin
9a1a4082a80a7bae4a51123cb640484b044186ef8e35489c90b36823f35c45d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7733 8256 bytes
font_01_sfnt_off00009724.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9724 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.