Malicious PDF — malware analysis report

Static analysis result for SHA-256 307fe54c1bb9aa5b…

MALICIOUS

PDF

40.8 KB Created: 2020-04-02 20:45:43 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a35222f176d02e133524033322bdbf2d SHA-1: ed5c8936060d4036225e23befc0b25324b8cea87 SHA-256: 307fe54c1bb9aa5b897bbd7873845a4997b20b571b9f7c8d9363319f6339d76d
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, a technique often used for SEO poisoning or to distribute malicious payloads. The PDF_SEO_LINK_FARM heuristic firing confirms this behavior, indicating a mass of external PDF links were generated. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mountainfc.org/uploads/1/3/0/4/130490808/130490808.html#sector+7+david+wiesner
    • http://rehomingpaws.com/uploads/1/3/0/4/130477882/74410d6115.pdf
    • http://no-such-thing.org/uploads/1/3/0/4/130483331/xekituwesit.pdf
    • http://thelightoftheworldchoir.net/uploads/1/3/1/3/131381605/fudutako.pdf
    • http://adaptiveshootingsports.com/uploads/1/3/0/6/130620624/galisixasanofafu.pdf
    • http://therealsheaqueen.com/uploads/1/3/0/9/130969329/dokofizex.pdf
    • http://catsfirstspayclinic.com/uploads/1/3/0/6/130621457/dodejumekogaw-koniveves-nulabelakuf.pdf
    • http://islandarkproject.org/uploads/1/3/0/9/130969283/8449643.pdf
    • http://maryvilleguitarlessons.com/uploads/1/3/0/3/130324416/2a530ec145.pdf
    • http://onceuponatimeprincessparty.net/uploads/1/3/0/8/130814631/lubidemonag.pdf
    • http://uxhability.com/uploads/1/3/0/7/130776521/luzuganuk_rugisofaz_gevinem_giroriloduta.pdf
    • http://acculturationofmormons.org/uploads/1/3/0/6/130605015/7a718.pdf
    • http://thegermancharme.com/uploads/1/3/0/2/130287229/45530e692be00b.pdf
    • http://karlek.kitchen/uploads/1/3/0/7/130738825/8e6ca37e3319599.pdf
    • http://thedetermineddoula.com/uploads/1/3/0/4/130436078/1503383.pdf
    • http://since1984.co/uploads/1/3/0/6/130639822/171fe1e6cb9.pdf
    • http://maxwellbodyworks.net/uploads/1/3/0/7/130775897/tikujidek.pdf
    • http://wedgelessform.com/uploads/1/3/0/2/130287493/ximatikisagu-fobexatuzikik-zokegimi-kovakomeb.pdf
    • http://juliabostridge.com/uploads/1/3/0/4/130476632/756b76a.pdf
    • http://lyonandtheladies.com/uploads/1/3/0/6/130620471/1683b50cc.pdf
    • http://battlemountaingroup.com/uploads/1/3/0/5/130590399/vobebotulu.pdf
    • http://lrjrhawks.org/uploads/1/3/0/3/130313671/mapewimalujigoberexe.pdf
    • http://laterallogisticsolutions.com/uploads/1/3/0/8/130813965/vefoxorikimopotiridu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007720.bin
7e826c298bc6f70ed5c95355dda73210a98cf6ca6740a722dd0037114b5deef6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7720 7860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.