Malicious PDF — malware analysis report

Static analysis result for SHA-256 4f391e1f2f082aa9…

MALICIOUS

PDF

36.2 KB Created: 2020-04-16 17:13:18 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ad59ee8b038603f001df1241075fc3a7 SHA-1: b3bc63af7074b6c146130b4e6eaf7076cf45ef30 SHA-256: 4f391e1f2f082aa9ec11925b1ab6ee92f53bc96b559d322edd2271fdfb673e24
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files with numeric slugs, indicative of a link farm. The primary lure appears to be related to optics, as suggested by the document body mentioning 'Concave and convex lenses image formation'. The ML classifier strongly flagged this PDF as malicious. The numerous external links are the primary IOCs.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://passionparkour.com/uploads/1/3/0/5/130588685/130588685.html#concave+and+convex+lenses+image+formation
    • http://brandingagency.com/uploads/1/3/0/5/130588272/pefapufak.pdf
    • http://legaleasecanada.com/uploads/1/3/0/6/130604241/nejilakav_sidulibulifeken.pdf
    • http://bodyresetusa.com/uploads/1/3/0/6/130639831/wipoxozadag_pozakemo_tafosikupila_lumakawoko.pdf
    • http://australianwhitesusa.com/uploads/1/3/1/4/131452890/3279180.pdf
    • http://donovankleintv.com/uploads/1/3/1/4/131412558/e51a3e.pdf
    • http://miriamstambourine.com/uploads/1/3/0/6/130639780/taxuzelefus-jekekovav-fowaxugire.pdf
    • http://jeanahmad.com/uploads/1/3/0/7/130775615/03b4788b1.pdf
    • http://boobearsbrew.com/uploads/1/3/0/6/130604402/kujabekisotisip.pdf
    • http://dearpublicsphere.com/uploads/1/3/1/0/131070574/kikesepot_rezanuwefi.pdf
    • http://diyinhousemarketing.com/uploads/1/3/0/7/130776015/gepazevoxolekefit.pdf
    • http://dostal.at/uploads/1/3/0/7/130738499/vapimuzag_xovej.pdf
    • http://infin8-images.com/uploads/1/3/0/3/130379121/faxofuvifufo.pdf
    • http://technicalserviceprovidersnetwork.com/uploads/1/3/1/3/131398188/1eb3fa305.pdf
    • http://saralacassephd.com/uploads/1/3/0/8/130874591/wurisek-vugizexepawete-ramuwolal.pdf
    • http://miriamstambourine.com/uploads/1/3/0/6/130639780/taxuzelefus-jekekovav-
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066df.bin
f286ea69d1404d5af932bf9d0e7884457b62bcae8fd8fc7ec11a07c0a18b0038		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66DF 7648 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.