Malicious PDF — malware analysis report

Static analysis result for SHA-256 55e8ae4786e21e10…

MALICIOUS

PDF

48.0 KB Created: 2020-03-10 05:28:04 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b84fcabc177ae6500656b3ad8c20ce0d SHA-1: 06ab7c0a4f2b5fc9138b4b4dd9aa3f165c446d01 SHA-256: 55e8ae4786e21e102a33dff60df8b540631d2c087a7199a08472c4b6c84a0b0a
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. The document body text suggests a lure of a 'Journal article critique sample' to entice users to click these links. The heuristic 'PDF_SEO_LINK_FARM' indicates a mass of external links designed to manipulate search engine results or distribute content. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://e9crt6.brdge.org/uploads/1/3/0/4/130488451/130488451.html#journal+article+critique+sample
    • http://phonetac.com/uploads/1/3/0/7/130775310/6b64a5a9e.pdf
    • http://www.perthmetrogardeners.com.au/uploads/1/3/0/7/130774966/5811773.pdf
    • http://brostories.com/uploads/1/3/0/7/130776351/4865100.pdf
    • http://u-beyond.org/uploads/1/3/0/9/130969702/nofedix.pdf
    • http://mail.clintvaughttattoos.com/uploads/1/3/0/9/130968968/baxamebilaleg_nomanizolamema_buwurajapoju.pdf
    • http://ncpc.uk/uploads/1/3/0/7/130739122/nuzipivu.pdf
    • http://kevankenney.com/uploads/1/3/0/6/130620951/sijubetubofobot-fivurajibuxafe-budagumululeg.pdf
    • http://syzygy-meditation.com/uploads/1/3/0/4/130435884/5452649.pdf
    • http://setreport.com/uploads/1/3/0/7/130776827/rewuronoxinoven.pdf
    • http://metrolinasprinkler.com/uploads/1/3/0/6/130621717/zazixomesi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000928d.bin
f8de1d57e50b6850ef3e1b22eb40cd8c4a08b0cf69c6bad804a8cbb4d1d408d4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x928D 8600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.