Malicious PDF — malware analysis report

Static analysis result for SHA-256 86a00d7dce98c28e…

MALICIOUS

PDF

67.3 KB Created: 2020-04-05 12:53:34 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: acd842c24ab64ea5159e8626af23ecd5 SHA-1: 5a1a615d0f3e85f2a28284e5cb3593c601b02a4e SHA-256: 86a00d7dce98c28ea2e1d3f2192fa77e36922bf73117684a212ea426e30720fb
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by multiple heuristics as malicious, specifically for containing a large 'link farm' of external URLs. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves leveraging these numerous links, likely to a variety of domains, to distribute further malicious content or conduct phishing attacks. No scripts were extracted, and the document body was heavily obfuscated, making it difficult to determine a more specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://marcelgiger.com/uploads/1/3/0/8/130814584/130814584.html#manual+de+supervision+tif
    • http://vjohnsonperceptionsllc.com/uploads/1/3/0/4/130435898/2444937.pdf
    • http://mercedesmax.com/uploads/1/3/0/6/130639183/nowijonamatuton-ruteza-jufimipidopumu.pdf
    • http://matthewgardlik.net/uploads/1/3/0/2/130270904/3406477.pdf
    • http://anidea.company/uploads/1/3/0/4/130483207/tanemarofesiwi_nusujogoma.pdf
    • http://503corp.com/uploads/1/3/1/4/131454269/sepurigufig.pdf
    • http://championcivil.com/uploads/1/3/1/4/131438003/lelaju_tuzuzapazo.pdf
    • http://theibisheadreview.com/uploads/1/3/0/2/130288549/xoninozawasotu.pdf
    • http://mediadunes.com/uploads/1/3/0/6/130603971/viwazugemefot_tenukikezeka.pdf
    • http://callumsstag.com/uploads/1/3/0/5/130550760/gonopewesibiwag.pdf
    • http://themompreneurmarket.com/uploads/1/3/0/5/130551621/6264899.pdf
    • http://sarahsavers.com/uploads/1/3/0/4/130478203/0b14f7490cba885.pdf
    • http://alliancemortgageco.com/uploads/1/3/0/6/130620951/kegipifurilazixi.pdf
    • http://kcrme.com/uploads/1/3/0/5/130551041/pafomokozesarij.pdf
    • http://funniestpuppies.com/uploads/1/3/0/8/130813378/9898159.pdf
    • http://sarahdguerra.com/uploads/1/3/1/4/131438461/giredonidumajevow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dea7.bin
132512806addf00fed53b7713e9d50c6849f34ffb3549db6e0542079695d3740		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDEA7 8740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.