Malicious PDF — malware analysis report

Static analysis result for SHA-256 38ef4cf11dadd519…

MALICIOUS

PDF

75.4 KB Created: 2020-03-26 09:14:44 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ac12031afb54035c4254853b70253a7e SHA-1: 675f120b770c4fc67515564439c0efbde1054b2d SHA-256: 38ef4cf11dadd519c80e458af7ddba6f7b8cfdc95277de3b361224c3e6a9b2ce
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, a technique commonly used in SEO poisoning attacks to redirect users to malicious websites. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, indicating the document is part of a link farm. The ML classifier also strongly flagged this PDF as malicious. The embedded URL and the document body text, which mentions 'que es inhibir la sintesis proteica', are likely lures to encourage clicks on the malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://allamericanhandyman.org/uploads/1/3/1/3/131379896/131379896.html#que+es+inhibir+la+sintesis+proteica
    • http://five6ix.com/uploads/1/3/0/6/130620756/xamevapusamin.pdf
    • http://www.miguelvaldiviezo.com/uploads/1/3/0/2/130287242/godamixawum.pdf
    • http://rogerspto.com/uploads/1/3/0/3/130379146/sigaligigezazugomi.pdf
    • http://onboardxpress.com/uploads/1/3/0/6/130639876/2104833.pdf
    • http://www.yun-chuan.com.tw/uploads/1/3/0/4/130478484/rizoxoravo.pdf
    • http://samschuth.com/uploads/1/3/0/7/130740257/sexebogakerogimulu.pdf
    • http://hemlockhollowfloorcloths.net/uploads/1/3/0/8/130874129/6589195.pdf
    • http://paintinghopefoundation.com/uploads/1/3/0/8/130814531/lujazenikujepa-nesepona-tililedaxudesef-nojafesazeloto.pdf
    • http://giftofreverence.com/uploads/1/3/0/2/130272644/zabokumalimuwim.pdf
    • http://nancygreinerkilnformedglass.com/uploads/1/3/0/6/130604430/1283935.pdf
    • http://www.lignindesign.com/uploads/1/3/0/5/130588960/lipumamuxufikot.pdf
    • http://georgeschauffeurs.com/uploads/1/3/0/5/130542770/zetelazavoxa.pdf
    • http://mellonediting.com/uploads/1/3/0/5/130590561/palazelilisizu.pdf
    • http://oceanclubwestrentals.com/uploads/1/3/1/0/131069843/2879791.pdf
    • http://claudiatennyson.com/uploads/1/3/0/6/130639042/e6cb7c887be731a.pdf
    • http://absyntmyndz.com/uploads/1/3/0/7/130776724/ba6378df3bdbaf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ee53.bin
77ec55521d016d3e42fa8ae771d4e22c7f12dcdd727f83bd1dd87c60849ec442		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEE53 10684 bytes
font_01_sfnt_off0001134d.bin
817c5682b7f33315ed3b936d93046349a8e09090a565814db15ef80b445c12a3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1134D 2996 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.