Malicious PDF — malware analysis report

Static analysis result for SHA-256 40e5c8df953e520a…

MALICIOUS

PDF

37.1 KB Created: 2020-04-20 08:05:51 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bb3745659448436a9167aa2ad9ce0284 SHA-1: 479f36126f9128a029a660d325e91c2f39576f5d SHA-256: 40e5c8df953e520a09eafa14838a8b16fd690f8a0081b36c6fe7e46c57c36cca
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which point to other PDFs hosted on similar domains, indicating a link farm for SEO manipulation. The ML classifier also flagged this PDF as malicious with high confidence. No scripts were extracted from this sample, limiting the ability to determine further malicious intent beyond the link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oldwillowcomplex.com/uploads/1/3/1/3/131383673/131383673.html#best+free+tower+defense+games+android+2019
    • http://alejandroroofing.com/uploads/1/3/0/6/130621809/wibaxux_guwuwarumu_zopulagegaribos.pdf
    • http://64hurleystreetu2.com/uploads/1/3/0/6/130620673/wifarufinurodaj-dafigapepejo.pdf
    • http://fernandoelectricalservices.com/uploads/1/3/0/6/130639426/f6dec128ab.pdf
    • http://flipfitmedia.com/uploads/1/3/0/5/130589449/vetozefeziwa.pdf
    • http://treeservicemoncton.com/uploads/1/3/0/4/130489914/a4b90c76a55da0.pdf
    • http://briankilcullenpainting.com/uploads/1/3/0/6/130604083/bebaguzerusu.pdf
    • http://sethgoldsmith.org/uploads/1/3/0/8/130874678/4042425.pdf
    • http://pushingthetippingpoint.com/uploads/1/3/1/3/131383775/lukikikeganev-vajofatonikar-wisunesisot.pdf
    • http://motoboxpro.com/uploads/1/3/0/6/130604013/fetufezasovori_notupixodibewe.pdf
    • http://yalaarts.com/uploads/1/3/0/6/130622023/kukojopamuzimew.pdf
    • http://covingtoncollection.com/uploads/1/3/0/9/130969705/6650041.pdf
    • http://sethgoldsmith.org/uploads/1/3/0/8/1308746
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069c4.bin
a635ef7ec958501794011bac9d91017ef94c8aaa727e80655bb2839f92377de9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69C4 7388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.