Malicious PDF — malware analysis report

Static analysis result for SHA-256 4604e930babd7dea…

MALICIOUS

PDF

24.9 KB Created: 2020-04-23 18:12:41 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: aa16504e77503d58e5edf2cfadee200f SHA-1: ec5063b9e94113ca1be1ae62115f0ff0b74aed50 SHA-256: 4604e930babd7dea2cf3e503196633148cf9757e09a265fc32aa24c8473462c7
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many pointing to similarly structured URLs on different domains, indicating a link farm or SEO abuse tactic. The document body, though heavily obfuscated, contains text related to 'resume template' and a URL, suggesting a lure to a malicious website. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9950

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://san69.com/uploads/1/3/0/6/130621052/130621052.html#modern+resume+template+online+free
    • http://cowhorseoutfit.com/uploads/1/3/0/5/130588451/nikupasabizutad_fipatiwut.pdf
    • http://hardbodyathletics.org/uploads/1/3/0/7/130776730/a0efe3f03.pdf
    • http://jblackgroup.com/uploads/1/3/0/9/130969363/b654d1e6a3.pdf
    • http://hailemahletengineering.com/uploads/1/3/1/3/131380583/fonesawiko.pdf
    • http://americantheaterforpuppetryarts.org/uploads/1/3/0/4/130436207/9463899.pdf
    • http://constructoramv.net/uploads/1/3/0/5/130590673/bikov.pdf
    • http://theupperdeck.org/uploads/1/3/0/2/130288458/cb19af279.pdf
    • http://ecohomevictoria.com/uploads/1/3/1/4/131483018/3b9fcd.pdf
    • http://insegtech.com/uploads/1/3/0/2/130272847/2874373.pdf
    • http://extraeyesecurity.com/uploads/1/3/0/4/130489075/fefuviwitiluw.pdf
    • http://mitterbhatinfracon.in/uploads/1/3/1/3/131380456/zolifanubisijukus.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.