Malicious PDF — malware analysis report

Static analysis result for SHA-256 29ec180be611470c…

MALICIOUS

PDF

62.5 KB Created: 2020-04-17 19:52:06 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: afd5931e97253569e51285dca0736a0b SHA-1: 0652d7c1447e78e87483d974745f8402dbb7ee19 SHA-256: 29ec180be611470c8cbe96bd4241b2c6e6945ff006e5285ba3d1a5a6be1af6aa
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to other PDF files with numeric slugs, indicating a link farm or SEO manipulation tactic. The document body, though truncated, includes a URL that aligns with this pattern. No scripts were extracted from this sample, and the primary malicious activity appears to be directing users to a network of potentially malicious or spam-related websites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thetowermen.org/uploads/1/3/0/2/130271031/130271031.html#do+keloids+form+on+face
    • http://createabookchangetheworld.com/uploads/1/3/1/3/131379946/07a9127.pdf
    • http://msptohumboldtproducts.com/uploads/1/3/0/8/130874522/luvopofelumezanake.pdf
    • http://embodimentbykait.com/uploads/1/3/1/6/131606815/f8064c.pdf
    • http://follygirl.org/uploads/1/3/1/4/131408092/lugurini.pdf
    • http://ishasushi.com/uploads/1/3/0/5/130589310/womus-mijikafolonad-wewurukamipaxe.pdf
    • http://contenova.com/uploads/1/3/0/8/130813922/bujiximeludo.pdf
    • http://stealthlaptops.com/uploads/1/3/0/5/130588438/zazawudaf_tinuza_tadozipu.pdf
    • http://bhamm.net/uploads/1/3/1/3/131380564/338d08c20bfd698.pdf
    • http://metzca.com/uploads/1/3/1/6/131636819/9761920.pdf
    • http://fusioncoachingak.com/uploads/1/3/0/6/130603760/3a230998da2.pdf
    • http://roomparentcorner.com/uploads/1/3/0/9/130969587/2823889.pdf
    • http://omahametropolitanmovers.com/uploads/1/3/0/6/130640070/silobimugawitun-fejafaniwudep-kazunuwul.pdf
    • http://medicaltrainingassociates.com/uploads/1/3/1/4/131409135/9278816.pdf
    • http://suzannesamin.com/uploads/1/3/0/5/130590671/fef0e3a.pdf
    • http://purplepipes.co/uploads/1/3/1/3/131397981/f0dc1.pdf
    • http://ishasushi.com/uploads/1/3/0/5/130589310/w
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a89b.bin
b2bce1e2da62ed353959d9dadc20cfcfaeb007a7b28f589496e97661c5429ac7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA89B 9024 bytes
font_01_sfnt_off0000caaa.bin
69b369587b94cc3f76303c2aef7a3026d2bfc90b1c35e782bc9254b536370242		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCAAA 3228 bytes
font_02_sfnt_off0000d59b.bin
404bcf40e9b17629b863f348aa76275024d2857540cd0d751b1d57ae5dfeca52		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD59B 16276 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.