Malicious PDF — malware analysis report

Static analysis result for SHA-256 52caf82813a2befc…

MALICIOUS

PDF

41.2 KB Created: 2020-04-11 12:26:40 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: beab46354e9ea44d347e33192ef6ef16 SHA-1: 5f115ee2d6121d7fe5cffa7286e9b8beb200fd71 SHA-256: 52caf82813a2befc7ab159320a5a170bb82f2177d04fdbbd1be47cd5f212a90e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a heuristic firing for a link farm, indicating a large number of external links. The document body, though truncated, includes a URL that appears to be part of this link farm. The primary purpose seems to be directing users to various external PDF files hosted on different domains, likely for malicious purposes such as phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kjmhomes.net/uploads/1/3/1/4/131453536/131453536.html#rubrica+para+evaluar+comprension+lectora+en+secundaria
    • http://encinosauto.com/uploads/1/3/0/3/130323510/8191989.pdf
    • http://agagllc.org/uploads/1/3/0/2/130287542/3164867.pdf
    • http://familiamdei.com/uploads/1/3/0/3/130313037/nitunado-bubisowabator-majaf-xumuduwid.pdf
    • http://carteblancheresources.com/uploads/1/3/0/2/130291328/8293624.pdf
    • http://zakiaz.com/uploads/1/3/0/8/130813504/3f4e487c61749ee.pdf
    • http://traphippiesbeats.com/uploads/1/3/0/9/130969965/turixe.pdf
    • http://codbcontractors.com/uploads/1/3/0/7/130776476/38077fe4bdc.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007439.bin
e2bc90d255ed5d1cd3c4391948e182f9570c39cab6abbb7e7a69ddd5b1dfde04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7439 9620 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.