Malicious PDF — malware analysis report

Static analysis result for SHA-256 527b6476fca9fbfe…

MALICIOUS

PDF

38.6 KB Created: 2020-03-23 16:41:05 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: be3e3ed6d79ce51642c50b8ad99cb1ad SHA-1: cdfeb9851cd363be018c19b229a8909293f14085 SHA-256: 527b6476fca9fbfee69b8598cad90fad617f1ebadf0009b50e2e2cef9b2f5449
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The ML classifier also strongly indicated maliciousness. The primary purpose appears to be directing users to a vast collection of other PDF documents, likely for SEO spam or to host further malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://longevitylogisticsinc.com/uploads/1/3/0/2/130270768/130270768.html#coordinate+graphing+mystery+picture+free
    • http://konidarisart.com/uploads/1/3/0/7/130738615/8923249.pdf
    • http://mytfillin.com/uploads/1/3/0/5/130588613/ruwanelizijugamexugi.pdf
    • http://thelearningagencylab.com/uploads/1/3/0/6/130639181/a9b68a88f37c2a7.pdf
    • http://antiviruseprotectserviceonline.site/uploads/1/3/0/4/130476976/6524884.pdf
    • http://downthedamroad.com/uploads/1/3/0/8/130874519/e533885997224.pdf
    • http://chandra-biermann.com/uploads/1/3/0/4/130435780/wixinajadip_pawanufudogemi.pdf
    • http://spwhoa.com/uploads/1/3/0/6/130604938/depagejuselu.pdf
    • http://wizzteam.space/uploads/1/3/0/2/130291596/6bd722010b57efa.pdf
    • http://out-the-back-door.com/uploads/1/3/0/4/130436313/b505c167e2.pdf
    • http://interior3.com/uploads/1/3/0/3/130323806/ruzenato.pdf
    • http://jaspermarianek.shop/uploads/1/3/0/2/130270897/decee6.pdf
    • http://reviewforce.com/uploads/1/3/0/6/130639133/3540439.pdf
    • http://academysupport.grantme.ca/uploads/1/3/0/7/130776211/7965898.pdf
    • http://hedrickheadlines.com/uploads/1/3/0/7/130738482/kevitutibob_kuvoboguna.pdf
    • http://www.elizabethhayesashleetaylor.com/uploads/1/3/0/6/130621575/womifetifusopaju.pdf
    • http://montanabridalshows.com/uploads/1/3/0/5/130588165/nevarowalukoxami.pdf
    • http://nicole-bramble-illustration.com/uploads/1/3/0/4/130477252/femub_xoralik_lasen_kelapisodeli.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f56.bin
fe3ab0bacb8ee397168f5788e24d9c9ab39c406d354904978cd0d1a778b7d23d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F56 7540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.