Malicious PDF — malware analysis report

Static analysis result for SHA-256 29ebdf5b77c38c4d…

MALICIOUS

PDF

40.6 KB Created: 2020-04-17 01:57:56 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b387ce2c20d1958f6112f21d293c5189 SHA-1: b652ab5d24062e3e54b9f18f062cf736784e3bd6 SHA-256: 29ebdf5b77c38c4d880e98dcf680196ab143f27f7686bcd85e9334fa25a5a776
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links, many of which are hosted on domains that appear to be part of a link farm. The document body text mentions 'Usps change of address ps form 3575', suggesting a social engineering lure. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the suspicious linking behavior. No scripts were extracted, but the primary attack pattern involves redirecting users to potentially malicious external content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michaelwellsart.com/uploads/1/3/0/7/130739583/130739583.html#usps+change+of+address+ps+form+3575
    • http://theredheartproject.com/uploads/1/3/0/5/130550770/gorozigajode-vejotogi-dopon.pdf
    • http://visionbystin.com/uploads/1/3/0/7/130740051/ee0e0ffa62b94.pdf
    • http://smartboardclub.com/uploads/1/3/0/8/130814586/4413832.pdf
    • http://southernforestshoney.com/uploads/1/3/0/9/130969115/a540b0ba.pdf
    • http://outofthewoodsphysiopilates.com/uploads/1/3/1/4/131453199/4b18a13289.pdf
    • http://wellevationnation.com/uploads/1/3/1/4/131406855/ginevobode.pdf
    • http://egenpolisci.com/uploads/1/3/1/4/131453226/suxulanevos_daxurivetigalis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007606.bin
64296a7cf3d32497201b55590b92fd17a151c9c88533386f1ace8096177dc4b6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7606 8540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.