Malicious PDF — malware analysis report

Static analysis result for SHA-256 537ee1efa89c95ec…

MALICIOUS

PDF

37.5 KB Created: 2020-03-25 10:54:31 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: aa89f5b4bf04f9628223f5a8d5c4e5a1 SHA-1: 58bff765edec80836745f034c35b5b06fdbd853b SHA-256: 537ee1efa89c95ec86ad8a2be0ddd522426296cdf8c2d439a1793f5e42624b7b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files on different domains. The ML classifier also strongly indicated maliciousness. The document body, though partially corrupted, contains a title related to transformers and mentions wkhtmltopdf, suggesting it might be a lure document generated by a tool. The primary attack pattern involves directing users to a link farm, likely for SEO manipulation or to serve malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://barbarascuccimarra.com/uploads/1/3/1/0/131070131/131070131.html#como+determinar+la+polaridad+relativa+de+los+devanados+de+un+transformador
    • http://bucketofsuds.us/uploads/1/3/0/5/130589061/e4ed1c43ece11.pdf
    • http://metrophoenixhypnotherapy.com/uploads/1/3/0/6/130604789/ea03837.pdf
    • http://commonbranch.org/uploads/1/3/0/6/130620297/gifofozofadunewanev.pdf
    • http://refinance.mortgage/uploads/1/3/0/2/130289290/9784805.pdf
    • http://airhartaerial.com/uploads/1/3/0/6/130639547/8020849.pdf
    • http://themanadvice.com/uploads/1/3/0/6/130620888/zajevopused-fejaj-momazobesefuf.pdf
    • http://rainonearth.com/uploads/1/3/0/3/130313031/pafitatozatok_kaxinete.pdf
    • http://madisonbows.com/uploads/1/3/1/0/131069915/01981b64f9.pdf
    • http://www.heiligebirmaner.com/uploads/1/3/0/8/130815351/f14b7d0e.pdf
    • http://djalexmusic.com/uploads/1/3/0/5/130546977/gufefuv-depisodo.pdf
    • http://thescentedsheep.com/uploads/1/3/0/6/130621865/jodozififopo.pdf
    • http://alloexo.info/uploads/1/3/0/5/130588445/zupefuwi.pdf
    • http://tolhouse-design.com/uploads/1/3/0/5/130551116/dowivivadu.pdf
    • http://chandalinchamplin.net/uploads/1/3/0/5/130588775/32021.pdf
    • http://mountain2river.us/uploads/1/3/0/5/130551434/rijutabo.pdf
    • http://earthbeanstudios.com/uploads/1/3/0/5/130539584/9fe1f85a95bb1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006869.bin
4d54ab055c19bb72d6f8a1f61e9303a1c943940604cc26f18f3a57aef8670804		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6869 8664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.