Malicious PDF — malware analysis report

Static analysis result for SHA-256 528b76cf66b9ba89…

MALICIOUS

PDF

60.2 KB Created: 2020-04-20 17:04:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9b1b46b4502e8adbf864fa4134c28c21 SHA-1: 2a4468c0ec8bb13bd531e10366ebc5786b9e26da SHA-256: 528b76cf66b9ba89da2fc4c8140b644ad619399873a67eba8b8c71bb61fed60f
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains numerous external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The document body, though heavily obfuscated, contains text related to 'black panther animal information in marathi' and references the wkhtmltopdf tool, suggesting a lure to generate traffic or distribute further content. The presence of a PDF link farm heuristic further supports this attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9851

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://presenthk.com/uploads/1/3/1/4/131482907/131482907.html#black+panther+animal+information+in+marathi
    • http://allamericanhousesitters.com/uploads/1/3/0/6/130621951/07476efb6533d.pdf
    • http://homesafari.net/uploads/1/3/1/4/131406295/jasisifulor_bumuviro.pdf
    • http://co-comm.us/uploads/1/3/1/4/131408142/bivuxabaga_geporan.pdf
    • http://jgsjhamilton.com/uploads/1/3/0/6/130621895/bosatisudapadon_puwebal_tosanukake.pdf
    • http://glamorousglitz.shop/uploads/1/3/1/0/131070452/moboxuker.pdf
    • http://kerbsideautos.com/uploads/1/3/0/3/130313643/ginewetu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007906.bin
c947b4bf141d555a4057fa4e4477e59610fc23b3d825e98d91d8fca3f13ef88f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7906 8372 bytes
font_01_sfnt_off000098d1.bin
27198b954cb9c930d2c4c4cbc6d352d8eb1b57b87237b00118757285f41c4aac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98D1 16156 bytes
font_02_sfnt_off0000adec.bin
822a040122fbf9ac803bd59531a4c2f038b67008d37c72ea24ccbca6334db62c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xADEC 18348 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.