Malicious PDF — malware analysis report

Static analysis result for SHA-256 373a4b772535530d…

MALICIOUS

PDF

55.8 KB Created: 2020-04-07 20:05:05 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a74adfc0c6794101b854ded2b8d14e31 SHA-1: 6d446ab290983fd60b1dd4ab84be3d7bc7e87adf SHA-256: 373a4b772535530d6da8f450713f69d8cbfc85e7e33a8c782dfa2e4a868a462a
92 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information T1204 User Execution

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The ML_NYX_PDF_MALICIOUS heuristic also strongly indicates malicious intent. The document body contains garbled text and some URLs, but no explicit script or payload is directly embedded. The primary attack pattern appears to be directing users to a network of external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://audiofidelity.no/uploads/1/3/1/4/131452838/131452838.html#just+ask+the+universe+pdf+free
    • http://edocig.com/uploads/1/3/0/2/130273581/9901418.pdf
    • http://sydneypassinpa.com/uploads/1/3/0/5/130551294/8789457.pdf
    • http://ilearnfaster.com/uploads/1/3/0/6/130620585/ced694b11e3.pdf
    • http://my-english-lesson.us/uploads/1/3/1/4/131437957/gowevigidizumuki.pdf
    • http://sea-riders.com/uploads/1/3/0/4/130476733/4eec8b8260.pdf
    • http://ogletreepetcare.com/uploads/1/3/0/8/130874295/9415552.pdf
    • http://meirdamsport.be/uploads/1/3/0/7/130740433/fanabike.pdf
    • http://miss-diva.com/uploads/1/3/0/7/130775953/divoruvep.pdf
    • http://bimedical.net/uploads/1/3/0/9/130969214/809d41f0254.pdf
    • http://sunlightyellowoverdrive1.com/uploads/1/3/0/9/130969654/cb21d18a6c7829b.pdf
    • http://ocpastoralcounseling.com/uploads/1/3/0/7/130775672/4177a1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b3b2.bin
a21b163f2617410c2b4d375d410bc77c884f60f09292ea7e46d69eda9890f940		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB3B2 7900 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.