Malicious PDF — malware analysis report

Static analysis result for SHA-256 40ebf7375ce9c4d3…

MALICIOUS

PDF

43.4 KB Created: 2020-03-29 02:32:11 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: aff36f17ccbb309ded57247e03d3d20d SHA-1: 7153f40cbe4599d3cbf666982b85dc9e87595913 SHA-256: 40ebf7375ce9c4d3160c71ab8899d92b188059785eccaa8f2f4a8acd11554b27
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier as malicious. It contains a large number of external links, indicating a link farm or redirection scheme designed to lead users to potentially harmful content. The presence of numerous PDF links suggests an attempt to manipulate search engine results or distribute further malicious documents.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adsl-63-204-18-4.benefitplans.org/uploads/1/3/0/4/130488584/130488584.html#lao+sze+chuan+chicago+il+60616
    • http://apartmentsinwilkesboro.com/uploads/1/3/0/6/130639508/7469184.pdf
    • http://www.gospeldrops.org/uploads/1/3/0/7/130776047/d63d2.pdf
    • http://dressmeupmg.com/uploads/1/3/0/6/130603737/5705798.pdf
    • http://joybiet.com/uploads/1/3/0/4/130483412/41220e84.pdf
    • http://lopan.net/uploads/1/3/0/5/130551656/pewuw.pdf
    • http://donnguyenknives.com/uploads/1/3/0/2/130292125/1078078.pdf
    • http://narskuttelu.net/uploads/1/3/0/8/130813330/6520900.pdf
    • http://oakhillcontractorsllc.net/uploads/1/3/0/6/130621500/fd5d01.pdf
    • http://1123rd.com/uploads/1/3/0/2/130270898/02130d184f3ffd.pdf
    • http://hostmaster.designedbyjpp.co.uk/uploads/1/3/0/2/130289530/267922be0.pdf
    • http://sejasurpreendente.com/uploads/1/3/0/5/130589317/sodolobotuko_wutoxekup_rudugotokabalej_niwomi.pdf
    • http://www.slipintoit.com/uploads/1/3/0/8/130874620/nogitofejagunofepefe.pdf
    • http://mycofieny.com/uploads/1/3/0/7/130776716/2157278.pdf
    • http://mta-sts.mail.hippopassion.com/uploads/1/3/0/5/130588490/zefezoxifuvavurewim.pdf
    • http://theodoreskye.com/uploads/1/3/0/3/130313253/pumokelojepugo-kavubipufobo-jevateteronarub-gazoxifubuwoto.pdf
    • http://www.youvswild.co.nz/uploads/1/3/0/8/130813750/buwazopinifotifebe.pdf
    • http://lifeback.org.au/uploads/1/3/0/7/130739264/wetiw.pdf
    • http://graceacresvenue.com/uploads/1/3/0/7/130776308/58ab6a0da3acee1.pdf
    • http://www.timbertracehomeinspections.com/uploads/1/3/0/3/130323213/ce3ed2718f18dd6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066cd.bin
ce3d8a33e6d5655d1a94e764f8379bfe7172ac6bc0644a9d77d1e8727b1d8193		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66CD 8360 bytes
font_01_sfnt_off000086fc.bin
22ad5a8dbe0ec64df3a7fc9ca3846211a556323626c220d4aeaea6e558372abc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x86FC 7860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.