Malicious PDF — malware analysis report

Static analysis result for SHA-256 7534762a739027ff…

MALICIOUS

PDF

33.9 KB Created: 2020-03-28 05:18:20 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: df6b57d365e2f09e59775953251cd517 SHA-1: 19d0349bef08bf48caf08abcb32c071f1cc5d3e6 SHA-256: 7534762a739027fff8013a6e978e255ad213043bce3da4e18ad921f270e840d8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The embedded document body text, while partially corrupted, includes a URL that matches one of the extracted links. This suggests the document is designed to redirect users to a network of linked pages, potentially for SEO manipulation or to serve malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dhanurvedartgallery.com/uploads/1/3/0/4/130476760/130476760.html#pasar+de+segundos+a+horas
    • http://midaskingproductions.com/uploads/1/3/0/5/130589371/4f458fabf88aa9.pdf
    • http://tp-tovar.website/uploads/1/3/0/5/130589423/zudofidajufilib_ruxuni_derajolagiwotu.pdf
    • http://theayasafund.com/uploads/1/3/0/7/130740401/woririxaz.pdf
    • http://buffaloegroup.com/uploads/1/3/0/6/130620393/rexugodaveto-nadoz-wavikugiw-taromitef.pdf
    • http://thewomansadvantage.com/uploads/1/3/1/4/131406063/garakafapafuli.pdf
    • http://australianinvestigators.com/uploads/1/3/0/4/130476348/barakubabe_ximarob_mameva.pdf
    • http://www.livingyoungnow.com/uploads/1/3/0/7/130738943/mojafipubozoze-melisose-jibuf.pdf
    • http://okk.world/uploads/1/3/0/7/130739401/6173fd74a8d6.pdf
    • http://ashleystopczynski.com/uploads/1/3/0/4/130435547/3825448.pdf
    • http://thesistermum.com/uploads/1/3/0/7/130738882/wapinefago_libuje.pdf
    • http://webmail.evildragonfiretheater.com/uploads/1/3/0/7/130738803/5b5e8a870da.pdf
    • http://angrypenguinapps.com/uploads/1/3/0/6/130605355/6202671.pdf
    • http://nesteam.co.il/uploads/1/3/0/2/130272352/lavitufosed_vizuko_vetoj_rifil.pdf
    • http://reconstructivewellness.com/uploads/1/3/0/5/130551008/6087719.pdf
    • http://guelaguetzaintercultural.org/uploads/1/3/0/4/130488362/kudiz-guliwugaxuvujel-bulekewojekugeb-sedekapimaxex.pdf
    • http://safedrycincinnati.com/uploads/1/3/0/7/130739086/7b32d475c.pdf
    • http://cotton-tech.pl/uploads/1/3/0/4/130475990/gevuxagavonof_poroledimog.pdf
    • http://rennrenn.net/uploads/1/3/0/6/130603997/3744510.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b40.bin
bdc696290f43dd3be86e9d04b6bc04ae8da702f6df0e76b4e04d474b1f75a89c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B40 8940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.