Malicious PDF — malware analysis report

Static analysis result for SHA-256 7fbd67839e6d1f32…

MALICIOUS

PDF

36.4 KB Created: 2020-04-05 15:42:27 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 04251038f780456ee6a05c682757730f SHA-1: b06474eaf30ae76b8358b21593db253ee035556d SHA-256: 7fbd67839e6d1f32cf5a015c29a06b89ffcd1420143cce2fb15ed8eb41e7fbb2
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link T1059.001 PowerShell

The PDF contains numerous external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness. The document body, though partially corrupted, contains a URL that appears to be part of this link farm. The presence of multiple numeric-slugged URLs suggests an attempt to generate traffic or distribute malware.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9970

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://smtfun.club/uploads/1/3/0/2/130287934/130287934.html#how+to+make+diaper+genie+smell+better
    • http://rsworldtravel.com/uploads/1/3/0/7/130775310/vexexefutupazojako.pdf
    • http://terrenmueller.com/uploads/1/3/1/4/131452904/taxuguta.pdf
    • http://innoflompoc.com/uploads/1/3/0/2/130288802/nedatosuxula_modevi_lebifusi.pdf
    • http://3greenassistance.org/uploads/1/3/0/2/130289339/2db6bd5.pdf
    • http://christmasisgreat.com/uploads/1/3/0/4/130436250/tepipini-fizejiresala.pdf
    • http://mutiny-cannabis.com/uploads/1/3/0/4/130435751/xakevom-dixinat-futokimixe.pdf

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007583.bin
abb8d197e84444a28e355938b1b1e257637e8601fbf0b1734df1e8aaa08a1f40		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7583 8168 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.