Malicious PDF — malware analysis report

Static analysis result for SHA-256 46b75c4c892eae7f…

MALICIOUS

PDF

126.8 KB Created: 2020-04-11 10:45:06 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b3f341599fbff1b90e133d85d45f9537 SHA-1: 2d03f6bdf46e7e3272a719e04292b64104bada10 SHA-256: 46b75c4c892eae7fadd3b76915074eb7f5c3696a88fd4bf24f040b1b666de61f
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to numeric or keyword-based slugs on various domains, indicative of a link farm or SEO abuse for malicious purposes. The ML classifier strongly flagged this PDF as malicious. The primary attack vector appears to be directing users to external URLs, which are likely hosting further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9583

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-77-70.mgwnet.com/uploads/1/3/0/7/130738554/130738554.html#desarrollo+del+ni%C3%B1o+y+adolescente+pd
    • http://simplybrilliantminds.com/uploads/1/3/0/6/130604056/b9975c67d7691.pdf
    • http://sarahpottier-dieteticienne.com/uploads/1/3/0/4/130489363/valivosopavojosulugu.pdf
    • http://aimhigherenterprises.com/uploads/1/3/1/4/131407021/xonawiwibovo-vajudojoralil-lebajekum-nevikawew.pdf
    • http://shopfashion4her.com/uploads/1/3/0/5/130589178/wukevem.pdf
    • http://nictehaflordeloto.com/uploads/1/3/0/9/130969085/3306551.pdf
    • http://cometochristchurch.mobi/uploads/1/3/0/6/130639162/logiku.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001bc29.bin
db9724eedc4f6c72466aee2b3a1469c4ad90b7f7de951358eb0d6b0266f099ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1BC29 11148 bytes
font_01_sfnt_off0001e2c6.bin
b0a6a33381002d1c379ca931d660fe98df7a73518421c8b234b9dc16af60e95a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1E2C6 2696 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.