Malicious PDF — malware analysis report

Static analysis result for SHA-256 58d4bd3df2c2da63…

MALICIOUS

PDF

88.8 KB Created: 2020-06-14 07:53:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bf820d27ef0f33ff97a4a1ff22526723 SHA-1: b16d1af177d7bb0f3ccf8ca76b978cfd47835789 SHA-256: 58d4bd3df2c2da63ed50276b08caf545fc65f241e0ab2802353bd21103fcf489
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF document contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious websites. The ML classifier strongly indicated maliciousness. The embedded URLs suggest a link farm designed to distribute further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://8b.undesirable.us/uploads/1/3/1/8/131856029/131856029.html#%25D0%25B4%25D1%258D%25D0%25BD%25D0%25B8%25D0%25B5%25D0%25BB+%25D0%25BA%25D0%25B8%25D0%25B7+%25D0%25B2%25D1%2581%25D0%25B5+%25D0%25BA%25D0%25BD%25D0%25B8%25D0%25B3%25D0%25B8+%25D1%2581%25D0%25BA%25D0%25B0%25D1%2587%25D0%25B0%25D1%2582%25D1%258C+%25D0%25B1%25D0%25B5%25D1%2581%25D0%25BF%25D0%25BB%25D0%25B0%25D1%2582
    • http://onenine8fiverace.com/uploads/1/3/1/0/131070633/fipemur_ruziwapejitipu.pdf
    • http://yourpacetour.ca/uploads/1/3/1/3/131383594/508c45c84681a66.pdf
    • http://konapartyrentals.com/uploads/1/3/0/2/130272242/3526041.pdf
    • http://eternalhopehospiceinc.net/uploads/1/3/0/9/130969012/0a190f1fc76687.pdf
    • http://garagedoorrepair-duarte-ca.com/uploads/1/3/0/2/130271205/bebedukijutu.pdf
    • http://scheduler.davcal.org/uploads/1/3/0/3/130323547/7405459.pdf
    • http://denizciyoga.com/uploads/1/3/0/7/130775029/zorabijixe.pdf
    • http://thepowerofonesummit.com/uploads/1/3/1/3/131382447/95aa102.pdf
    • http://74-123-73-221.mgwnet.com/uploads/1/3/1/6/131636833/vuromifob_nigajomoxune_gifubasufu_xuwenufulorekil.pdf
    • http://autodiscover.adsongsjingles.com/uploads/1/3/1/4/131455734/zewuvijomi_nowesutofubo_suleva_zakagekob.pdf
    • http://boxtom.com/uploads/1/3/0/4/130488288/jafovufupika.pdf
    • http://thejerseyjoeshow.net/uploads/1/3/0/2/130288864/naxefazojow.pdf
    • http://lasinrival.net/uploads/1/3/1/3/131381135/209d715e2551.pdf
    • https://razitarorabe.files.wordpress.com/2020/06/65892142800.pdf
    • https://befozeme.files.wordpress.com/2020/06/69715416672.pdf
    • https://mitalaj.files.wordpress.com/2020/06/sajukatidojasuf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001205c.bin
92034cc9ae8b18533a04ecf6017a2ac36b2ad2caa969c2ef9e1cf8bb06ef72da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1205C 16840 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.