Malicious PDF — malware analysis report

Static analysis result for SHA-256 4e8c7a0ba9360efe…

MALICIOUS

PDF

52.5 KB Created: 2020-04-26 19:08:45 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 027b7c22bb772a77a79eb87edaa84762 SHA-1: 5e8537b0ea6def5ea29ebc86f02320cb1b8369e8 SHA-256: 4e8c7a0ba9360efe31a0ed7b1fc275c42d0d74ac3584d2bc6d012e36a7f002f8
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. These links likely serve to direct users to potentially malicious content or engage in SEO manipulation. The ML classifier also strongly indicated maliciousness. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://accomadationmadeeasy.com/uploads/1/3/0/7/130740012/130740012.html#index+match+using+multiple+sheets
    • http://naturalvface.com/uploads/1/3/1/4/131437446/fb2c55.pdf
    • http://kencot.net/uploads/1/3/0/2/130272295/pogazivokokap.pdf
    • http://techinfoplusideas.com/uploads/1/3/0/9/130969011/6813689.pdf
    • http://sheempowerment.org/uploads/1/3/0/6/130604158/d45a941136b3c.pdf
    • http://ourplace247.com/uploads/1/3/0/6/130603903/f17ec844b8c22c.pdf
    • http://amokasolutions.com/uploads/1/3/1/4/131437074/24d2d3.pdf
    • http://unwindutopia.com/uploads/1/3/0/6/130604177/a22a81.pdf
    • http://thenormalwitch.com/uploads/1/3/0/3/130313370/2702334.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008ea3.bin
83e003a3044d3cf4c19a755e8eef26d7ad5c93c26506f9b7413d8b0bafbd3909		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8EA3 9064 bytes
font_01_sfnt_off0000b13b.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB13B 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.