Malicious PDF — malware analysis report

Static analysis result for SHA-256 4a4290e91da570c1…

MALICIOUS

PDF

32.0 KB Authoring application: OpenOffice Draw
MD5: b7b2f8287b90db646f938ac14ed3653c SHA-1: c0568608f355027a375b66e04b1c3c645428999c SHA-256: 4a4290e91da570c18ca107c700be6651a6794103400b57e98ccead3b53d0c28a
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits characteristics of a link farm, embedding a large number of external URLs. This technique is often used to manipulate search engine rankings or to distribute malicious payloads. The ML classifier strongly indicated maliciousness, supporting the heuristic finding of a PDF SEO link farm. No scripts were extracted, and the document body was heavily obfuscated, preventing a more detailed analysis of the specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oakhillcontractorsllc.net/uploads/1/3/0/6/130621460/d3fde.pdf
    • http://giantsizedannual.com/uploads/1/3/0/6/130604433/wazutojifevoza_sulune_jipaxam_difen.pdf
    • http://experiencetrailhead.com/uploads/1/3/0/2/130287896/5205339.pdf
    • http://bradandmaria.com/uploads/1/3/0/5/130551059/pitaluvukemefusoj.pdf
    • http://wrsni.com/uploads/1/3/0/6/130621089/bupuranaf.pdf
    • http://megagyros.com.au/uploads/1/3/0/7/130738646/cffe084d2b4.pdf
    • http://comeseemyjamaica.com/uploads/1/3/0/2/130289259/buluzofagila_sonenof_nolibes.pdf
    • http://188prospectstreetu1.com/uploads/1/3/0/7/130775154/e0916f4d73219c.pdf
    • http://madeinmichiana.com/uploads/1/3/0/4/130483428/9418149.pdf
    • http://coateschicken.com/uploads/1/3/0/3/130313190/86126.pdf
    • http://crystaldictionary.online/uploads/1/3/0/6/130639855/b17d028582d39c0.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00000f0f.bin
970d46c9fd97d645d06f991cbfe4d7056d35e0040eef689aa4d6cafdd8ec2b1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF0F 8704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.