Malicious PDF — malware analysis report

Static analysis result for SHA-256 5a1b349fe7fa60f0…

MALICIOUS

PDF

53.6 KB Created: 2020-03-24 04:19:14 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: acfb0c86df8a7419c8cf9869f43c91ce SHA-1: 71f98acf5b03b15b6184e088378ed80b54b35863 SHA-256: 5a1b349fe7fa60f0f26c2e7bdc57a38d9e75f43d098e280654e0f3d3ff5a4d03
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was flagged by a machine learning classifier as malicious. It contains a large number of external links, many of which point to similarly structured URLs on different domains, suggesting a link farm or SEO poisoning tactic. The primary URL extracted is http://wellwithacupuncture.com/uploads/1/3/0/7/130740262/130740262.html#que+es+citocinas+proinflamatorias, which likely serves as a lure to the network of other linked sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wellwithacupuncture.com/uploads/1/3/0/7/130740262/130740262.html#que+es+citocinas+proinflamatorias
    • http://myalliedbenefits.com/uploads/1/3/0/7/130776749/repawotifelad-gikozuxelezi-panarisu-viguzezomexefa.pdf
    • http://kueadressesdesign.com/uploads/1/3/0/7/130739152/vaxewuwawenuwewava.pdf
    • http://cattlemancutlery.com/uploads/1/3/0/2/130287261/setega-nubijerilor-vuvapaxaju-wurotam.pdf
    • http://quitosltd.com/uploads/1/3/0/5/130588875/9862947.pdf
    • http://redcarpetfestival.com/uploads/1/3/0/7/130740003/mitubofitodora.pdf
    • http://autodiscover.twosunsdoula.com/uploads/1/3/0/6/130639240/9fcbfaecc0.pdf
    • http://mzansinewsonline.com/uploads/1/3/0/2/130289399/bce3d916bb.pdf
    • http://theflowersonbroad.com/uploads/1/3/0/7/130738754/xowivefogev-sodukomimirasoz-puxur-dobofijororus.pdf
    • http://www.robinstelling.com/uploads/1/3/0/6/130639357/xitimud-likagin-gokifumagison-vexositow.pdf
    • http://www.checkingthegatepodcast.musicatozpodcast.com/uploads/1/3/0/4/130436226/4177e209817.pdf
    • http://parclifecreatives.com/uploads/1/3/0/4/130478484/xaxigivajoriku.pdf
    • http://www.royaltyorganix.com/uploads/1/3/0/2/130270752/nomikobukifitize.pdf
    • http://mjrblogspot.com/uploads/1/3/0/3/130379458/saturam_nikofepefuwote.pdf
    • http://cookinglivinggiving.com/uploads/1/3/0/7/130739423/kivutedagite-pijigogukixit-faduvi-zuxonurazife.pdf
    • http://joeytorkelson.com/uploads/1/3/0/9/130969330/xirigijetijisoj.pdf
    • http://comicinformer.com/uploads/1/3/0/7/130776307/6454ec6c.pdf
    • http://www.myerbamate.com/uploads/1/3/0/9/130969985/712a2fb1.pdf
    • http://webmail.jameslaff.com/uploads/1/3/0/3/130313265/4667478.pdf
    • http://barkleygold.com/uploads/1/3/0/5/130539309/163328.pdf
    • http://www.evolutionsuperfoods.com/uploads/1/3/0/8/130813831/zegepewege_rexenik_topijodujujem.pdf
    • http://autodiscover.dutchagrosystems.nl/uploads/1/3/0/6/130621467/sekegoferisibixovamu.pdf
    • http://www.elsha3raaahelmeem.com/uploads/1/3/0/4/130435990/d211dd958d9885c.pdf
    • http://www.everybodyintegrativemassage.com/uploads/1/3/0/8/130814859/6127593.pdf
    • http://coonrapidsinsurance.com/uploads/1/3/0/6/130604158/5784441.pdf
    • http://autodiscover.dutchagrosystems.nl/uploads/1/3/0/6/130621467/sekego
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000836c.bin
b2df998b98f1875d7ae29f03aaa20bb42b78267be7e630a53724a4ebe4cc8333		 pdf-font-stream PDF embedded font (sfnt) at offset 0x836C 9188 bytes
font_01_sfnt_off0000a4d2.bin
bff1374cd5d68ec7fef1c56a6dcb4130062e8e687cbddba7a1f3180d6a99bb89		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA4D2 3284 bytes
font_02_sfnt_off0000b050.bin
9a26ddfe3183561c694bc162abf7c8b63a59914d7f43e9d3467b42a916c804de		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB050 16260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.