Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d7302fc4079e582…

MALICIOUS

PDF

36.1 KB Created: 2020-04-24 05:46:08 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 04b3978ea3786f42d556c344ffcb3b1e SHA-1: 1afd42af4b17a74fde962740c9ad2316ebff3f3e SHA-256: 2d7302fc4079e582e5b8c1209f0da35a0e038f0ebb282a7c99ac951e84da59af
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, many of which are numerically or generically named, suggesting an SEO link farm or a phishing lure. The ML classifier strongly indicated maliciousness. The document body, though heavily obfuscated, contains references to the URLs, reinforcing the attack pattern. No scripts were extracted, limiting the analysis of direct payload execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9984

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://theleawoodfamilydentist.com/uploads/1/3/0/3/130323180/130323180.html#induction+of+labour+guidelines+rcog
    • http://ecruos.net/uploads/1/3/0/8/130814407/gavekob.pdf
    • http://frankmichaux.com/uploads/1/3/0/3/130379147/94455d7a1c9da.pdf
    • http://naillenvironmental.com/uploads/1/3/0/8/130814279/309146.pdf
    • http://galibellesue.com/uploads/1/3/0/6/130621706/859335.pdf
    • http://prodam-berlin.com/uploads/1/3/0/3/130379118/f6913a3fca7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c4f.bin
b3ed9205e82d96a012745a8600637ff2e2a113274ed0e2c307eeb7820c3dd8dc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C4F 7788 bytes
font_01_sfnt_off00007a93.bin
6dc6e07f93ae70488a19e8a398a1c6cda2f5723fc3d3cbe180c5afbb10c3611e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A93 2864 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.