Malicious PDF — malware analysis report

Static analysis result for SHA-256 4dee0d668305b9d9…

MALICIOUS

PDF

44.7 KB Created: 2020-06-19 03:04:43 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c148312e9d44d7479cad7fab6ed81dcf SHA-1: 0ddd617a235c9633a2f5a00654ee62f91eaa9438 SHA-256: 4dee0d668305b9d9faaf4616f17545d0c97364ac177bea12b9c50ef62bd8b8f1
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, many of which point to other PDF files, suggesting a link farm or redirection mechanism. The document body mentions 'Adobe flash cs5 tutorial free download', indicating a lure to entice users to click on the embedded links. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external URIs supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://life4real.net/uploads/1/3/0/3/130323109/130323109.html#adobe+flash+cs5+tutorial+free+download
    • http://michaelhiggins.ie/uploads/1/3/0/3/130323959/64388.pdf
    • http://iscebsga.com/uploads/1/3/0/5/130551523/4ce53ea46.pdf
    • http://postmaster.kidsinbeeld.nl/uploads/1/3/1/3/131383441/2802460.pdf
    • http://midcoastcac.org/uploads/1/3/1/3/131379405/zuvomumavere.pdf
    • http://optimisticlivingblog.com/uploads/1/3/1/0/131070827/dudegol_rivujolinodanem_sekazame_desexeripogon.pdf
    • http://peopleinsyncltd.com/uploads/1/3/0/3/130313002/9468924.pdf
    • http://bsrservice.net/uploads/1/3/0/8/130814831/lonito.pdf
    • http://pluggednetworks.co/uploads/1/3/1/3/131383777/d6245e09936f92.pdf
    • http://businesshopelife.com/uploads/1/3/0/5/130589334/3996859.pdf
    • http://livingwaterventures.com/uploads/1/3/0/5/130551559/titolekun.pdf
    • http://saranlpcoach.com/uploads/1/3/1/0/131070806/4127672.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cc0.bin
bbae7eefceb510955e7dd498c1130858f2e52996bb9aeec5bf53c9e47e2c34ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CC0 5336 bytes
font_01_sfnt_off00007eeb.bin
daff692465467691220827c9577cc6ed814f7cfbc6632e5004af793d089c868c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7EEB 10948 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.