Malicious PDF — malware analysis report

Static analysis result for SHA-256 45ceb6633fd61f2e…

MALICIOUS

PDF

37.3 KB Created: 2020-05-22 04:53:57 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 991befe085aa3feb412866613f864340 SHA-1: dce5ae725cb67690ed15552a66c308edf5671fa6 SHA-256: 45ceb6633fd61f2eb4f7a723db235c01d6cd2b495e40fa737ecf437b50eb3783
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains a large number of external links, many of which point to other PDF files hosted on various domains. The heuristic 'PDF_SEO_LINK_FARM' indicates a deliberate attempt to create a link farm, likely for SEO manipulation or to distribute malicious content. The presence of the URL http://host96.carmichaelnl.com/uploads/1/3/0/2/130288909/130288909.html#my+chemical+romance+i+dont+love+you+mp3+download suggests a lure for users to download files, potentially malware. No scripts were extracted, and the document body is heavily obfuscated.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://host96.carmichaelnl.com/uploads/1/3/0/2/130288909/130288909.html#my+chemical+romance+i+dont+love+you+mp3+download
    • http://naturalfairytale.net/uploads/1/3/0/4/130491703/8350688.pdf
    • http://magdamelendez.com/uploads/1/3/0/2/130272606/3885617.pdf
    • http://cenicenterprises.com/uploads/1/3/1/4/131406020/leritanapip.pdf
    • http://bitcheswotdo.com/uploads/1/3/1/3/131383998/d01260.pdf
    • http://mail.seasonal-inspirations.com/uploads/1/3/1/6/131606962/bozoduvobanixapewo.pdf
    • http://thealiceprince.com/uploads/1/3/0/6/130620379/5679921.pdf
    • http://mysteryplus.nl/uploads/1/3/0/9/130968972/koxameg.pdf
    • http://bloordaletoronto.com/uploads/1/3/0/8/130873992/runebosetal.pdf
    • http://chrispierce.net/uploads/1/3/0/7/130775830/5076993.pdf
    • http://davicsesports.uk/uploads/1/3/0/7/130775647/3105396.pdf
    • http://facetitenj.com/uploads/1/3/0/4/130483805/wizewixawa.pdf
    • http://alterationsokc.com/uploads/1/3/0/6/130603776/7287040.pdf
    • http://foodietee.com/uploads/1/3/0/6/130620420/3862358.pdf
    • http://21centuryhs.com/uploads/1/3/0/7/130775427/6958500.pdf
    • http://hydrauliktuchola.pl/uploads/1/3/0/3/130313643/gotojedoxod_pobukegininup.pdf
    • http://desertbuffalo.com/uploads/1/3/0/9/130969003/124f1.pdf
    • http://balkanexpeditedllc.org/uploads/1/3/1/1/131164573/bidovapugavomosetubo.pdf
    • http://newdawnbeach.com/uploads/1/3/1/3/131384544/badeka.pdf
    • http://exclusiveplumbingleadz.com/uploads/1/3/1/4/131438079/3249f52ede.pdf
    • http://aquataurfinancialservices.net/uploads/1/3/1/0/131069886/7644066.pdf
    • http://deercreekarchery.com/uploads/1/3/0/6/130639882/nuxorudinugi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006285.bin
090d189bfed7cb663659a1a4db1cbbc123ff1842dbe645bbd2ce3b3fd072fa69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6285 11180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.