Malicious PDF — malware analysis report

Static analysis result for SHA-256 4bf2552cfa723e2d…

MALICIOUS

PDF

33.3 KB Created: 2020-06-01 06:49:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 97212a5fc97c9586bbd2e784c29d3242 SHA-1: 1e6adf3dcc4b7c4b54f462eb784e3d99c0c565f9 SHA-256: 4bf2552cfa723e2debf7864ce793c0e4caee6dfa10124d039f2200e7e718a580
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm or SEO manipulation tactic, often used to distribute malicious content or improve search engine rankings for malicious sites. The ML classifier strongly flagged this PDF as malicious, supporting the suspicious nature of the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://qualitycareafh.com/uploads/1/3/1/4/131407736/131407736.html#alphanumeric+series+pdf+gradeup
    • http://marchenoir.ch/uploads/1/3/1/4/131410234/66b84509cdcdb6d.pdf
    • http://newsgnat.com/uploads/1/3/0/5/130550783/3273206.pdf
    • http://hostmaster.ps-glane.ch/uploads/1/3/0/9/130969270/6cb634029e64a.pdf
    • http://coloradotruckingcollege.org/uploads/1/3/0/6/130639558/suvurefonodi-pabadu-sipimoza-gekix.pdf
    • https://zosagadepug.files.wordpress.com/2020/05/rugazukut.pdf
    • https://sexisoto.files.wordpress.com/2020/05/53234573085.pdf
    • https://xilagakuse.files.wordpress.com/2020/05/pilokalat.pdf
    • https://kuperira.files.wordpress.com/2020/05/4780047212.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000537e.bin
b7ed475708a8de3037c02010ca95401803a176898cdf2345b0be50b8446baa8b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x537E 11316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.