Malicious PDF — malware analysis report

Static analysis result for SHA-256 3169c7860f373db4…

MALICIOUS

PDF

39.0 KB Created: 2020-05-22 06:52:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad3d082fa77985f575b4defea676d1d4 SHA-1: bb0a037126264353646b73786145132de8eca65b SHA-256: 3169c7860f373db4549e7ee30c8c39a56c59d0fb8c34d0c2bd187a1326f3b369
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document exhibits characteristics of a link farm, with numerous embedded URLs pointing to external PDF files. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this is a tactic to distribute malicious content or engage in SEO abuse. The presence of an AcroForm button with an action trigger further indicates potential for user interaction leading to malicious activity. The ML classifier's high confidence score supports the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9994

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • AcroForm button with action trigger low PDF_ACROFORM_BUTTON
    PDF contains a /Btn form field together with a SubmitForm/URI/Launch/JS trigger — this is the building block of fake 'Download' or 'Open' button overlays used in PDF phishing lures
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://us-arabchamber.net/uploads/1/3/0/6/130639027/130639027.html#insan%25C4%25B1+tan%25C4%25B1ma+sanat%25C4%25B1
    • http://loftyroots.com/uploads/1/3/0/6/130604475/5241726.pdf
    • http://buttemtnews.com/uploads/1/3/1/8/131856224/7944486.pdf
    • http://lakesideautomotive.net/uploads/1/3/1/3/131384403/jaretabo.pdf
    • http://ateaselawncareservicesllc.com/uploads/1/3/0/7/130739192/8435922.pdf
    • http://kofferkino.de/uploads/1/3/0/6/130639535/4145500.pdf
    • http://freelancefreedom.org/uploads/1/3/0/5/130550752/kodemojagafowo_gulejotegabar_bafumopejabes_loragigi.pdf
    • http://greatfriendscharity.com/uploads/1/3/1/4/131406020/5e8491f1.pdf
    • http://luminousme.online/uploads/1/3/0/7/130776002/7526841.pdf
    • http://growmenetwork.com/uploads/1/3/0/6/130605222/depetozonuziki-mojejiz-rowiretawi-gisalijur.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069be.bin
c1baa433164e19c2bd6c14a25f3682baaf9eb4b20788c6b338c6359c9c9e3b29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69BE 12088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.