Malicious PDF — malware analysis report

Static analysis result for SHA-256 668647759a91519a…

MALICIOUS

PDF

20.0 KB Created: 2020-04-03 07:59:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a61a419fa82d96546b6a9e4e15e2eb2b SHA-1: ada849256f6456588fe5e3c50697af4247549736 SHA-256: 668647759a91519a6060d9a9333d2bd2dcdebdedacbf04f2be0117e223c337a1
114 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file is identified as a malicious screenshot lure, containing a single image and a clickable action that directs users to external URLs. The presence of numerous external links, many structured as SEO-optimized PDF links, suggests a link farm or a distribution mechanism for further malicious content. The ML classifier strongly indicates maliciousness, and the overall structure points towards a phishing or malware distribution attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9988

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 20 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sageeportfolio.com/uploads/1/3/0/7/130775447/130775447.html#interlineado+doble+en+latex
    • http://www.sherpublishing.com/uploads/1/3/1/4/131436967/3118736.pdf
    • http://epr.energy/uploads/1/3/1/3/131379591/kajonivijeki.pdf
    • http://laurendanhof.com/uploads/1/3/0/9/130969543/967628103.pdf
    • http://kinforthewin.com/uploads/1/3/0/6/130603834/e35e4.pdf
    • http://motionalvr.com/uploads/1/3/0/4/130435755/8635235.pdf
    • http://theretrofitmasters.com/uploads/1/3/1/3/131383624/63c5f5378f8.pdf
    • http://paulreesemusic.com/uploads/1/3/0/5/130541950/dutasanolafaz.pdf
    • http://mythunderteam.com/uploads/1/3/0/6/130639965/pejewezekop-vadeferoxob.pdf
    • http://animalwelfareaotearoa.com/uploads/1/3/0/4/130476669/9199916.pdf
    • http://detailersandvaleters.com/uploads/1/3/0/7/130738607/fimevepozelada.pdf
    • http://webmail.rathlawoffice.com/uploads/1/3/0/5/130545698/3819743.pdf
    • http://kaitlinclarke.com/uploads/1/3/0/5/130541904/5210346.pdf
    • http://cyberactive.tech/uploads/1/3/0/7/130775173/67ffc93.pdf
    • http://ninereedroad.com/uploads/1/3/0/7/130775987/8454361.pdf
    • http://theboilerfactory.com/uploads/1/3/0/2/130287296/6294829.pdf
    • http://whollysmokedbbq.net/uploads/1/3/0/2/130287852/ee5ea.pdf
    • http://stacyeye.com/uploads/1/3/0/7/130739542/fasavafur.pdf
    • http://sammiegeislerdpt.com/uploads/1/3/1/3/131398358/4093733.pdf
    • http://lukesimmonsbookx.com/uploads/1/3/0/6/130639936/8278355.pdf
    • http://katherineandersendigtals.com/uploads/1/3/0/7/130739194/zobamezugotukorizi.pdf
    • http://networkdua.com/uploads/1/3/0/8/130815311/8455552.pdf
    • http://tuxebase.com/uploads/1/3/0/6/130603692/4044131.pdf
    • http://hitcharchive.com/uploads/1/3/0/6/130620511/pojot_mekevegisit_niretebipirot_nuvupo.pdf
    • http://glasgowmtairport.com/uploads/1/3/0/8/130814411/pikijag.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.