Malicious PDF — malware analysis report

Static analysis result for SHA-256 28065dedacb28b21…

MALICIOUS

PDF

48.9 KB Created: 2020-03-20 01:53:52 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ab3fc5b731602b3414dd8c654b5e237c SHA-1: 4053e4e6ade58bf763657896da3330dd0bbc9756 SHA-256: 28065dedacb28b2136b329175031e2009585f2c864dbe110ce7b4795500646bc
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF file exhibits characteristics of a link farm, containing a large number of external URLs pointing to other PDF files. The primary heuristic, PDF_SEO_LINK_FARM, indicates a mass of external links, suggesting a coordinated effort to manipulate search engine results or redirect users to potentially malicious content hosted on numerous domains. The ML classifier also strongly flagged this file as malicious. The document body contains garbled text and a URL that matches one of the extracted external links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://misssoutheastpageantry.us/uploads/1/3/0/5/130551543/130551543.html#definici%C3%B3n+de+angulos+correspondientes
    • http://museofyourownmaking.com/uploads/1/3/0/5/130588445/jofulirevi.pdf
    • http://johnandrews.us/uploads/1/3/0/3/130379307/jevemapunux.pdf
    • http://www.artsholidayitaly.com/uploads/1/3/0/8/130814286/fodova.pdf
    • http://309brightfuture.org/uploads/1/3/0/6/130621937/kenegizozewiku_povizet_sonax_mefuteban.pdf
    • http://www.nandaphoto.com/uploads/1/3/0/7/130739336/3526310.pdf
    • http://canotekpark.com/uploads/1/3/0/3/130313127/4473245.pdf
    • http://kbkwmllc.com/uploads/1/3/0/7/130775949/3ffaa9e02554.pdf
    • http://kiijarvi.fi/uploads/1/3/0/2/130272603/gigapuralejonij.pdf
    • http://nwminiatureshow.com/uploads/1/3/0/4/130476628/zijoxakejaw.pdf
    • http://chaseinsulinbox.com/uploads/1/3/0/6/130604519/790838f67d.pdf
    • http://castag.org/uploads/1/3/0/7/130739159/begafepejamiveg-nukov-roxofepemix-sibuzanez.pdf
    • http://newvoicecluboforegon.com/uploads/1/3/0/9/130969671/mixozuzegewe_dagalupip_tawuxalok_wuliwajulo.pdf
    • http://bagelboulevard.com/uploads/1/3/0/4/130483739/b529e4d256a1bb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000702b.bin
0a4e7f08e8c8899735e5b315edb338674c61528144556d6f9b9819f0b3331634		 pdf-font-stream PDF embedded font (sfnt) at offset 0x702B 8848 bytes
font_01_sfnt_off0000906b.bin
30173fca61eb7fb1890408bc8eab32262c7d9608bd9f7f7ed9c6a4f1d19c1089		 pdf-font-stream PDF embedded font (sfnt) at offset 0x906B 3700 bytes
font_02_sfnt_off00009d53.bin
891f5e3747942cb967ed54429b32525f4267d97b2541b79d426b699094d4d627		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9D53 16288 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.