Malicious PDF — malware analysis report

Static analysis result for SHA-256 5031681f6f059b45…

MALICIOUS

PDF

36.6 KB Created: 2020-04-04 12:08:11 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ab3718c7499d08d6b016efcca8d3a2f5 SHA-1: 7d69fbfd5f83ff2a14e4f57e26a31de15ff777ba SHA-256: 5031681f6f059b45db3a2cb884be38f8b2ab10355257c627babf054a17301cab
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links to other PDF files hosted on various domains, a technique often used for SEO manipulation or to distribute malicious content. The ML classifier strongly indicated maliciousness. The primary attack pattern involves directing users to a link farm of potentially harmful documents.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://scruggsmetalworks.com/uploads/1/3/0/7/130776457/130776457.html#speed+queen+washing+machine+parts+diagram
    • http://centrojazzalba.com/uploads/1/3/0/2/130289387/bce85afb6a005fc.pdf
    • http://cybersecuritynews.us/uploads/1/3/0/7/130776174/fugilop.pdf
    • http://kirkpinar.info/uploads/1/3/0/2/130287424/4181480.pdf
    • http://vintagechicdiamonds.com/uploads/1/3/0/6/130604688/6ec98101.pdf
    • http://nymica.com/uploads/1/3/1/3/131378776/lubonemisafuko.pdf
    • http://yorbalakepetclinic.com/uploads/1/3/1/4/131414561/6704023.pdf
    • http://wamlcrafts.com/uploads/1/3/0/4/130488875/tewenu_gigavi_katodafogazot.pdf
    • http://furevents.melbourne/uploads/1/3/0/6/130621304/motogazidulapa.pdf
    • http://alendinghandseniorliving.net/uploads/1/3/1/0/131069766/lexavolozogu.pdf
    • http://isobelpigott.com/uploads/1/3/0/6/130639703/maseninifip-gorokiruji-gakupipiwe.pdf
    • http://e3financial.org/uploads/1/3/0/4/130483581/6910434.pdf
    • http://digitalhustleblueprint.com/uploads/1/3/0/7/130775730/bamara.pdf
    • http://tyleryonge.com/uploads/1/3/0/7/130740440/bafemabekixu_wexedarerukeziv_zapaloferigek.pdf
    • http://khaliafrazier.com/uploads/1/3/0/6/130639824/8553490.pdf
    • http://vintageviews.net/uploads/1/3/0/3/130323937/8559451.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067d3.bin
4ff71b79351566cfc36f6d9e8281f372ce7f003d4bff5731a3c4ac2e8efb9a18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67D3 7508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.