Malicious PDF — malware analysis report

Static analysis result for SHA-256 70ca2a30753d76d1…

MALICIOUS

PDF

36.9 KB Created: 2020-05-14 09:04:19 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9718aaeea53f7d00987c0405002b60af SHA-1: ce1937750e1db39bcfaee2e74f68aa281f9dc3d6 SHA-256: 70ca2a30753d76d1be7454f2f668b393f753a36ed9c1d7b2f1fcdf96d3a95a40
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, identified as a link farm, designed to redirect users to other websites. The primary URL found in the document body, http://grapheneglobalfund.com/uploads/1/3/1/3/131398545/131398545.html#messenger+apk+mirror+android+4.+3, suggests a lure related to downloading applications. The ML classifier strongly indicates maliciousness, supporting the conclusion that this document is part of a malicious distribution campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://grapheneglobalfund.com/uploads/1/3/1/3/131398545/131398545.html#messenger+apk+mirror+android+4.+3
    • http://abengland.net/uploads/1/3/0/5/130551090/fb4cc.pdf
    • http://carluca.com/uploads/1/3/0/6/130639687/9493629.pdf
    • http://truegalu.com/uploads/1/3/0/5/130588663/jadaguvego-riviwiw-muxutefuxojiva.pdf
    • http://kbassokinesiology.com/uploads/1/3/0/7/130739237/tekuwitowe.pdf
    • http://samarasodyssey.com/uploads/1/3/0/3/130313809/5710906.pdf
    • http://allstuffsafe.com/uploads/1/3/1/4/131437161/menasutazeru_devurotunekegi_xafoxepajigo_digif.pdf
    • http://yogapilatespersonaltraining.com/uploads/1/3/1/4/131453593/c6d58d22f8ca.pdf
    • http://keatingphysicaltherapy.net/uploads/1/3/0/6/130621431/kezatigipobu_suzuvoxa_fedozewenesuwat_wamabokube.pdf
    • http://leadingyouhome.org/uploads/1/3/1/4/131482991/1876367108.pdf
    • http://collinsbasketball.com/uploads/1/3/0/3/130379160/fufamegarig_jokoz_torazutuwu.pdf
    • http://sevillaincorporated.com/uploads/1/3/0/8/130874411/wisoxubavavaru-jojabiwatomuja.pdf
    • http://thecolonytowingservice.com/uploads/1/3/1/4/131452794/paleje_bomesiruriviz_demuporazewejez.pdf
    • http://amandajakich.com/uploads/1/3/1/4/131437222/8506678.pdf
    • http://seelysound.com/uploads/1/3/0/6/130604933/6304192.pdf
    • http://courtneyfiles.com/uploads/1/3/0/6/130620847/rulika_tugujivezozam_mezalez_kuxikitelise.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007303.bin
bd74cd12dc864b84cca436d532c5ce3dfcfcd4efa219d034d5b641ff8ed48acb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7303 10064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.