Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bf1980f32a60020…

MALICIOUS

PDF

40.8 KB Created: 2020-03-26 09:48:39 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a1ace569d2fdd8eae8a31648755219fd SHA-1: b471909ff57abfc373dc2b91131ec16d96f4f5a3 SHA-256: 4bf1980f32a60020d53362cb1e4199ca7148918dd36c9c07a0b95d7d136be5c2
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body also contains a specific URL related to printer setup, suggesting a lure. The primary purpose appears to be directing users to a network of linked websites, likely for SEO manipulation or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://resilientsocieties.com/uploads/1/3/0/9/130970014/130970014.html#hp+deskjet+5650+setup
    • http://www.architecturalhealthandfitness.com/uploads/1/3/0/6/130604129/257d3ceef.pdf
    • http://andyharrisasblacksheep.com/uploads/1/3/0/5/130540604/sevoxaniroda.pdf
    • http://asapusedcars.com/uploads/1/3/0/5/130546392/6904377.pdf
    • http://www.powerinthepulse.com/uploads/1/3/0/5/130588720/9845239.pdf
    • http://www.lmutechtutors.com/uploads/1/3/0/9/130969079/1650857.pdf
    • http://digitalmonetizers.com/uploads/1/3/0/8/130814642/a1dfbed2.pdf
    • http://photoboothinmcallen.com/uploads/1/3/0/2/130270785/1504567.pdf
    • http://gentlemansdesire.com/uploads/1/3/0/3/130323822/9157213.pdf
    • http://spacemeasuring.com/uploads/1/3/0/6/130620693/6251979.pdf
    • http://hvaccredit.com/uploads/1/3/0/8/130813786/597148.pdf
    • http://audreylooksat.com/uploads/1/3/0/2/130291545/d84b6138c89.pdf
    • http://matchaspa.net/uploads/1/3/0/2/130287881/2d39f203987.pdf
    • http://anchoragesolutionsinc.com/uploads/1/3/0/5/130543848/jazexebuge.pdf
    • http://tintinstuckshop.com/uploads/1/3/0/7/130739202/xinivop-jumafos-dopetigozodamid.pdf
    • http://shop.coquito.us/uploads/1/3/0/2/130291676/koronupu_jegebakirip.pdf
    • http://sterlingnotion.com/uploads/1/3/0/6/130620845/7e2ff69293eb59.pdf
    • http://satokoono.com/uploads/1/3/0/4/130475909/5a6b082934f.pdf
    • http://cathellwilliams.com/uploads/1/3/0/6/130622111/vawunovutibefotar.pdf
    • http://alohabrewed.com/uploads/1/3/0/6/130639679/mifaraniwobekolipari.pdf
    • http://shopdragon.org/uploads/1/3/0/5/130550890/5354785.pdf
    • http://nuts4less.net/uploads/1/3/0/6/130604078/mulexakovoge.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060c2.bin
9e97903a695766a08c544cad35b2da948d8b5138011e3fa4fa660073cc748089		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60C2 7748 bytes
font_01_sfnt_off00007f1a.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F1A 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.