Malicious PDF — malware analysis report

Static analysis result for SHA-256 82f7656fb93a84b2…

MALICIOUS

PDF

46.8 KB Created: 2020-06-27 01:46:52 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c22787c75d2504678079cd9beddfdd1c SHA-1: 3784bc8fc26084b6f7d6d42d8a9196552396e8f5 SHA-256: 82f7656fb93a84b2f676cec6905de58fcd0068ba4eb7aa56b9356cf75582d678
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF document is identified as malicious by an ML classifier and contains a significant number of external links, characteristic of a link farm or redirection scheme. The document body, though heavily obfuscated, contains a reference to a '1998 chevy suburban repair manual', suggesting a lure to entice users to click on the embedded links. The presence of numerous external URLs, many hosted on seemingly unrelated domains, indicates a probable attempt to distribute further malicious content or lead users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://files.xsaia.org/uploads/1/3/0/4/130476033/130476033.html#1998+chevy+suburban+repair+manual
    • http://labellaswimwear.net/uploads/1/3/1/4/131483005/vemopigoxukemi_namas_ruvefawaxer.pdf
    • http://mail.joekausits.com/uploads/1/3/1/8/131855997/sakudig_zovix.pdf
    • http://webdisk.littlecreekfarmllc.com/uploads/1/3/0/5/130539691/2987818.pdf
    • http://knojoko.co.za/uploads/1/3/0/6/130621211/625760.pdf
    • http://297.undesirable.us/uploads/1/3/0/6/130604987/kotolasoxemudokakuse.pdf
    • http://booker46.com/uploads/1/3/0/5/130588352/reponejurimipon_faxejofaba_dikozinarujexom_pakudijevikuzi.pdf
    • http://files.atriumcarpark.co.nz/uploads/1/3/0/7/130775951/pamojav.pdf
    • http://javanhirst.com/uploads/1/3/0/8/130814861/1794355.pdf
    • http://swimgympump.com/uploads/1/3/0/6/130621264/banujuxuta.pdf
    • https://dowutoweviki.files.wordpress.com/2020/06/93638211195.pdf
    • https://xezosom.files.wordpress.com/2020/06/20709790469.pdf
    • https://lekemav.files.wordpress.com/2020/06/jujibope.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://dowutoweviki.files.wordpress.com/2020/06/93638211

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000078e6.bin
43e292621a0cbcc7d2de6d7b0481f49704d0653ccd87afe1a454bebd90790ddb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78E6 5476 bytes
font_01_sfnt_off00008b4d.bin
a1e3038c7e0e71e905532b957e776a11af2122a6436a4ad2c26ba6999290bd69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B4D 10328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.