Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c25f3fc48613c08…

MALICIOUS

PDF

37.7 KB Created: 2020-05-15 18:44:06 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 00ff8bb3ef08e8b87f6caf0091958229 SHA-1: e65e12e34f7c7cc19d02ce369f7a77725c9091a7 SHA-256: 2c25f3fc48613c087c87bc1aabc08ef56d89ddb46578923e741e3414ca2a28a9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection to malicious content. The ML_NYX_PDF_MALICIOUS heuristic also strongly indicates malicious intent. The document body contains seemingly unrelated text and URLs, further supporting the idea that the document's primary purpose is to host or link to external malicious resources rather than provide legitimate content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blr-logistics.com/uploads/1/3/0/5/130590371/130590371.html#aashiqui+2+songs++mp4+audio+masstamilan
    • http://fakejustice.us/uploads/1/3/0/2/130287504/5290275.pdf
    • http://the-whole-thing.com/uploads/1/3/0/6/130620521/9738907.pdf
    • http://lascyclistas.com/uploads/1/3/0/7/130775840/rezapelogawutixes.pdf
    • http://countrygirlbowtique.com/uploads/1/3/0/7/130739575/4a05e4.pdf
    • http://officestarconsulting.com/uploads/1/3/0/6/130603823/5d9622.pdf
    • http://thewreckingroom.net/uploads/1/3/0/5/130547038/7172186.pdf
    • http://firebirdperformance.com/uploads/1/3/0/7/130775134/5162334.pdf
    • http://nymannauto.com/uploads/1/3/1/8/131856062/tujewerekizamov_defemofade.pdf
    • http://melissawrightlmt.com/uploads/1/3/0/7/130740427/fikof.pdf
    • http://mimsmemoryquilts.com/uploads/1/3/0/3/130312976/48a1093580d56.pdf
    • http://vermontyogaretreats.com/uploads/1/3/0/4/130435569/6880802.pdf
    • http://crcid.net/uploads/1/3/0/3/130313176/xugude_gagejun.pdf
    • http://erxclusive.com/uploads/1/3/0/6/130604010/9c9de48d72120.pdf
    • http://myfreeworldofwarcraft.com/uploads/1/3/0/6/130620510/1d20709ca.pdf
    • http://askthepotscientist.com/uploads/1/3/0/7/130739024/5ddb684f.pdf
    • http://scuwibblog.com/uploads/1/3/1/6/131606844/f36932.pdf
    • http://actinghockey.com/uploads/1/3/0/8/130873917/dazujomu.pdf
    • http://metroeastinterfaith.com/uploads/1/3/0/7/130776811/5560470.pdf
    • http://manfredocamperio.it/uploads/1/3/0/7/130776147/83a1bdbe9b87c1.pdf
    • http://karenlaurapeters.com/uploads/1/3/0/8/130874598/fb750b2d5e68ade.pdf
    • http://stvio.org/uploads/1/3/1/0/131070062/2143500.pdf
    • http://msmckinney.com/uploads/1/3/1/4/131483386/2886791.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065c1.bin
1850314ca63d524b39c04b17c240f98245f91f02451dde282f5490c804d0489e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65C1 10816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.