Malicious PDF — malware analysis report

Static analysis result for SHA-256 4b749b47495da700…

MALICIOUS

PDF

102.7 KB Created: 2020-03-07 19:19:37 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bec87a83bbbc82b0114098256ebf6104 SHA-1: aadd05397d05a4966158bef54056b967a8469d88 SHA-256: 4b749b47495da700ca897c1d5f6870b409a2d4c3c637a17319ef667f28cf4fcb
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness. The document body, though partially corrupted, contains a title related to 'Tenses chart in hindi with examples pdf download' and references wkhtmltopdf, suggesting a lure document. The primary attack pattern involves directing users to a vast array of potentially compromised or malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webdisk.wisadmin.co.za/uploads/1/3/0/7/130739122/130739122.html#tenses+chart+in+hindi+with+examples+pdf+download
    • http://www.gaffneygritacademy.com/uploads/1/3/0/7/130775154/8b70569ab1470f0.pdf
    • http://farmnaturally.com/uploads/1/3/0/6/130620451/vefigenin.pdf
    • http://niblettmedia.com/uploads/1/3/0/3/130313072/2187656.pdf
    • http://mphcoatings.com/uploads/1/3/0/7/130739251/xinidune.pdf
    • http://customlovecandles.com/uploads/1/3/0/2/130287514/pavezofulerudososa.pdf
    • http://sparklingspaulding.com/uploads/1/3/0/3/130323806/7938088.pdf
    • http://datadrivenacademy.online/uploads/1/3/0/7/130740003/5667356.pdf
    • http://bellasmultiservicios.com/uploads/1/3/0/8/130874629/6f4485.pdf
    • http://www.thespicecloset.com/uploads/1/3/0/7/130775634/7115652.pdf
    • http://www.haguewaterkc.com/uploads/1/3/0/7/130739540/7771852.pdf
    • http://sprinkledcompany.com/uploads/1/3/0/4/130489363/796fbf09b.pdf
    • http://001radio.com/uploads/1/3/0/5/130589227/zexabiwipib_dokofoxax_lilafujoni.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000118d2.bin
d7ec53b5d27109aff57ceaa57382b74c4d0fbd955f33d2f1673ae1da17ce376c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x118D2 8432 bytes
font_01_sfnt_off00013953.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13953 1388 bytes
font_02_sfnt_off000140f1.bin
ab8d134c7afced8748dd7581b3c99ddd1cbc023d0cf152df8b4e9eab98cbb22a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x140F1 16164 bytes
font_03_sfnt_off00015609.bin
881c43dda922b20a9fd53c5120bc3a63983dc70ad7b431c688ad99d4dfeb1579		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15609 18916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.