Malicious PDF — malware analysis report

Static analysis result for SHA-256 79f825a21a0aaa61…

MALICIOUS

PDF

13.1 KB Created: 2020-02-15 00:51:30 +00:00 Authoring application: mPDF 5.7
MD5: e72d8f0885abeef209735af6a0e7dc98 SHA-1: 986f68c0a05577c08b5acc9113ca6166451d88ea SHA-256: 79f825a21a0aaa61d6865a98db143fe3955f0d2bff72adb84c9077ec5dd7fe10
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files hosted on a dynamic DNS domain. This behavior is indicative of SEO poisoning or a traffic redirection scheme, aiming to drive users to malicious content. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the exact payload.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9006

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kiyuteraspdf.changeip.com/37860786678677865/Vice-New-and-Selected-Poems-by-Ai.pdf
    • http://kiyuteraspdf.changeip.com/178627868786878687863/The-Glass-Air-Poems-Selected-And-New-by-P-K-Page.pdf
    • http://kiyuteraspdf.changeip.com/278637863786078677861/Selected-Poems-by-John-Betjeman.pdf
    • http://kiyuteraspdf.changeip.com/578617867786578607863/New-Selected-Poems-by-Howard-Moss.pdf
    • http://kiyuteraspdf.changeip.com/87862786578697869/Selected-Poems-by-Emily-Dickinson.pdf
    • http://kiyuteraspdf.changeip.com/178637867786078667867/Selected-Poems-by-John-Ashbery.pdf
    • http://kiyuteraspdf.changeip.com/978617864786178667868/Selected-Poems-by-Bertolt-Brecht.pdf
    • http://kiyuteraspdf.changeip.com/678667869786578637869/Selected-Poems-by-Emily-Dickinson.pdf
    • http://kiyuteraspdf.changeip.com/27863786178617863/Selected-Poems-by-Galway-Kinnell.pdf
    • http://kiyuteraspdf.changeip.com/1786078667868786778647868/Selected-Poems-by-Friedrich-H-lderlin.pdf
    • http://kiyuteraspdf.changeip.com/178647862786678677865/New-Selected-Poems-by-Mark-Strand.pdf
    • http://kiyuteraspdf.changeip.com/57861786178667865/Sure-Signs-New-and-Selected-Poems-by-Ted-Kooser.pdf
    • http://kiyuteraspdf.changeip.com/37861786078687862/Selected-Poems-by-Randall-Jarrell.pdf
    • http://kiyuteraspdf.changeip.com/478657869786178677867/Selected-Poems-by-Louis-MacNeice.pdf
    • http://kiyuteraspdf.changeip.com/478657867786678687865/Selected-Poems-by-Robert-Browning.pdf
    • http://kiyuteraspdf.changeip.com/878627862786878617865/Selected-Poems-by-Jacques-Dupin.pdf
    • http://kiyuteraspdf.changeip.com/478657868786178627860/Selected-Poems-by-Robinson-Jeffers.pdf
    • http://kiyuteraspdf.changeip.com/47868786778667865/Selected-Poems-by-Thomas-Hardy.pdf
    • http://kiyuteraspdf.changeip.com/278617865786778637867/Selected-Poems-by-Fernando-Pessoa.pdf
    • http://kiyuteraspdf.changeip.com/37860786778607869/New-and-Selected-Poems-Vol-2-by-Mary-Oliver.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.