Malicious PDF — malware analysis report

Static analysis result for SHA-256 3891598f188e1031…

MALICIOUS

PDF

38.1 KB Created: 2020-03-09 09:23:33 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9ea11c214af03e5a6b95dc280860d55a SHA-1: bc9e0ed2259aa467ade1e0296c366b27a3d637d3 SHA-256: 3891598f188e1031b2ae741915d90a061f4e229397bb2455b9789d42d352d4ed
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier also strongly flagged this PDF as malicious. The document body, though partially corrupted, contains references to URLs that are likely part of a link farm or SEO manipulation scheme, potentially leading to malicious content or phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.equestrianeliteatapplejackfarm.com/uploads/1/3/0/5/130541443/130541443.html#determinacion+de+acido+acetico+en+vinagre+marco+teorico
    • http://freeflightresearch.com/uploads/1/3/0/6/130621815/vuzevumomukuxe.pdf
    • http://fundsamurai.com/uploads/1/3/0/7/130775543/08f05cf.pdf
    • http://www.northadamshome.com/uploads/1/3/0/2/130289613/mupagafulibebu_jagux_vetine.pdf
    • http://www.fuegoclubsf.com/uploads/1/3/0/6/130621206/doxap.pdf
    • http://sacredandsovereign.com/uploads/1/3/0/8/130813577/9d29ffeb0f81e3d.pdf
    • http://bootcampandfitnessworkouts.com/uploads/1/3/0/6/130620154/xofubik.pdf
    • http://stock2exchange.com/uploads/1/3/0/6/130604351/vusot.pdf
    • http://iowagsummit.com/uploads/1/3/0/7/130776322/dufitonasabava_puwizezameda_rikokejavo_zanido.pdf
    • http://yrittajyys2018.com/uploads/1/3/0/2/130289295/7714876.pdf
    • http://salondenavidadalmeria.com/uploads/1/3/0/6/130604034/4374861.pdf
    • http://jfdeals.com/uploads/1/3/0/7/130775950/kopagogujevod.pdf
    • http://horseassistedcoaching.se/uploads/1/3/0/8/130813898/1a45f4c57.pdf
    • http://golfireland.club/uploads/1/3/0/6/130621755/tebakunolapidoj.pdf
    • http://lahealthgroup.com/uploads/1/3/0/6/130604599/rojasunujijevuruga.pdf
    • http://www.you-inspire-me.com/uploads/1/3/0/5/130539734/8a3f2e3ca4dd83.pdf
    • http://cajarycapital.com/uploads/1/3/0/6/130622116/mewar_tuxepol_nokuni_sasikejuxepazip.pdf
    • http://hostmaster.amyrosemcdowell.com/uploads/1/3/0/6/130621554/figejopufuruzox.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a3c.bin
cf3d727682521d75b742aae7fa5e9145eca6183d85a4212c77977bd27fe5579a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A3C 9016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.