Malicious PDF — malware analysis report

Static analysis result for SHA-256 313d6bf3688dd0f8…

MALICIOUS

PDF

40.9 KB Created: 2020-06-09 05:47:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c3ba2ee24833018a1bbfaa755f93ba55 SHA-1: f7effab3b35b0dded3a0e6234507ca3bdf945238 SHA-256: 313d6bf3688dd0f8d23a90f33a33a379be9edfc2583ca7bafbb52073c7ed3011
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file was flagged by a machine learning classifier as malicious. It contains a large number of external links, many of which point to similarly structured URLs on different domains, suggesting a link farm or SEO spam operation. The embedded document body text, though partially corrupted, contains a title related to streaming and the wkhtmltopdf application, indicating it was likely generated programmatically. The primary attack pattern involves redirecting users to these external sites, which could host further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stn-silver.com/uploads/1/3/0/3/130379087/130379087.html#r%25C3%25AAve+de+champion+streaming+vf
    • http://hostmaster.silverstonegolf.co.uk/uploads/1/3/1/8/131872239/5677378.pdf
    • http://ab.undesirable.us/uploads/1/3/1/3/131382539/895760.pdf
    • http://webuyhousesingta.com/uploads/1/3/0/8/130874258/7775801.pdf
    • http://afraidtosay.org/uploads/1/3/0/5/130589222/9b49f768e6abd8.pdf
    • http://kaileyeskine.org/uploads/1/3/0/9/130969506/380759.pdf
    • http://mail.ruxtonadvisors.com/uploads/1/3/1/6/131637558/ddb9a67a7c.pdf
    • http://stores.circleofapparel.co/uploads/1/3/0/5/130551086/35c4ba0a8aa9e5.pdf
    • http://rcdesigns-online.net/uploads/1/3/1/4/131407890/wubagixij-vakazigaj-kabemesovixifi.pdf
    • http://ayuhealing.com/uploads/1/3/0/9/130969596/7962964.pdf
    • http://mail.dundeepto.org/uploads/1/3/0/7/130776804/4c6e139.pdf
    • https://tuvivamitoti.files.wordpress.com/2020/06/tusitagosamim.pdf
    • https://zivuwisi.files.wordpress.com/2020/06/dixoxajoxupajisemizuvala.pdf
    • https://zuxefeja.files.wordpress.com/2020/06/46750134978.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068e3.bin
5a60050ee51ff4e738d41fbd1198f8ce3bc530b439f1f1679c6894e870a5912d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68E3 15724 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.