Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bce75602cc4af5c…

MALICIOUS

PDF

33.6 KB Created: 2020-11-09 13:11:51 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d600ff506205c52cee60b57a4dfbf711 SHA-1: 46ec41deb21eddcd9b2f7385189a807b756622d1 SHA-256: 6bce75602cc4af5ccc1854373980716e60f362b86f584841194888e5f1c87cdc
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which are to other PDFs, suggesting a link farm or SEO abuse tactic. The primary URL, "https://traffset.ru/aws?keyword=ford+explorer+repair+manual+download", is likely a lure to download further malicious content. The ML classifier strongly indicated maliciousness, and the PDF structure itself is flagged for containing a mass of external links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9991

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?keyword=ford+explorer+repair+manual+download
    • https://jivexine.weebly.com/uploads/1/3/1/3/131380908/3016426.pdf
    • https://cdn-cms.f-static.net/uploads/4485305/normal_5fa8b7b94667b.pdf
    • https://duveniwapawas.weebly.com/uploads/1/3/4/2/134265961/61858b703f4be07.pdf
    • https://cdn-cms.f-static.net/uploads/4389376/normal_5f8de3d42dad4.pdf
    • https://cdn-cms.f-static.net/uploads/4368751/normal_5f9c2da87320e.pdf
    • https://cdn-cms.f-static.net/uploads/4412606/normal_5fa5612cd4f78.pdf
    • https://cdn-cms.f-static.net/uploads/4453335/normal_5fa0408f9b74d.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/a8b665fc-3ddd-44e5-b95d-e9ae41c8ffc2/71706284115.pdf
    • https://s3.amazonaws.com/wilugugo/ant_colony_optimization_algorithms.pdf
    • https://s3.amazonaws.com/libosokune/76295242538.pdf
    • https://s3.amazonaws.com/sigobija/famous_flute_players_2019.pdf
    • https://s3.amazonaws.com/zunaporam/periodic_table_packet_1_answer_key.pdf
    • https://uploads.strikinglycdn.com/files/eeb22e02-6a36-4f61-b545-ff8028134210/producer_gas_production_overall_reaction.pdf
    • https://s3.amazonaws.com/wulotugadag/telenedixa.pdf
    • https://uploads.strikinglycdn.com/files/4a4003c3-0e26-4bd0-9453-2def1fcb7ee4/tugumefefazoxow.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005ff6.bin
e12be194c67b94354d29a07199e240c2734f36b1c70f2c02f09bbefb0e55d0c4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5FF6 5044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.