Malicious PDF — malware analysis report

Static analysis result for SHA-256 4236e72111c286cb…

MALICIOUS

PDF

35.7 KB Created: 2020-06-14 21:50:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af78b15bfe6ff524ac7633e813d70641 SHA-1: a9a9db0ab9b62886dbbbc6643c1028757a2cc354 SHA-256: 4236e72111c286cb2148c35c75e63fedc503d3f65fb3e10cee1ac92c089ad8cd
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many pointing to domains that appear to be part of a link farm or SEO manipulation scheme. The heuristic 'PDF_SEO_LINK_FARM' indicates a high volume of such links, suggesting a malicious intent to redirect users or host malicious content. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, and the document body is largely unreadable binary data, but the presence of numerous external URLs is the primary indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://fernandogapasin.com/uploads/1/3/0/7/130740522/130740522.html#ffxiv+mining+leveling+guide
    • http://baysideoakland.com/uploads/1/3/1/0/131070125/tobokejitoxepaje.pdf
    • http://available46.unix1.com/uploads/1/3/0/6/130620756/8953047.pdf
    • http://natureshealingtouch.net/uploads/1/3/0/5/130588822/414d0b.pdf
    • http://momslist.store/uploads/1/3/0/2/130289592/5647922.pdf
    • http://gj.robynjwilliams.com/uploads/1/3/1/6/131606473/modaz.pdf
    • http://cpanel.fortyandoof.com/uploads/1/3/0/7/130740492/1391360.pdf
    • http://highlandermckay.com/uploads/1/3/1/8/131856564/ab69c60e0efad7.pdf
    • http://vps.afged12.org/uploads/1/3/0/9/130969357/3587467.pdf
    • http://miltiadesdevelopements.com/uploads/1/3/1/4/131454151/zupunine_mexategu_vugusobere.pdf
    • https://jikuzugaro.files.wordpress.com/2020/06/91682188585.pdf
    • https://kilotudinuv.files.wordpress.com/2020/06/85951405195.pdf
    • https://jitalexevumo.files.wordpress.com/2020/06/larixozufer.pdf
    • https://datarelozaw874436251.files.wordpress.com/2020/06/wasisalabefedilonulumud.pdf
    • https://sabaliku.files.wordpress.com/2020/06/90555788764.pdf
    • https://delepozafejo.files.wordpress.com/2020/06/6654828891.pdf
    • https://banaxog.files.wordpress.com/2020/06/juloxizosowebemanixe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e64.bin
cd9a922a7c1e2bf503d1d75a5dab1c07592486f743a9fba91f8e20af7befd29c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E64 10768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.