Malicious PDF — malware analysis report

Static analysis result for SHA-256 89a61379b20d77ef…

MALICIOUS

PDF

36.4 KB Created: 2020-04-08 22:06:34 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 989e024206b55a5a49c5678204539b2b SHA-1: d10658dabc897e3377785a3c48ffd24c4104c4f7 SHA-256: 89a61379b20d77ef30922244a026e21bc93b9c2662cd1688b835daa0ee4f7842
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was identified as malicious by an ML classifier. It contains a large number of external links, characteristic of a link farm designed to manipulate search engine rankings. The document body contains a suggestive phrase and mentions the authoring application, but the primary malicious intent appears to be directing users to a network of unrelated websites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://simplifyingcellphonestartup.com/uploads/1/3/0/4/130483765/130483765.html#osez+d%C3%A9couvrir+le+point+g
    • http://cleaningservicesantaana.com/uploads/1/3/0/5/130588201/7917830.pdf
    • http://mahalkotreasureshop.com/uploads/1/3/0/3/130379465/rubilarakume-fezukadesakafo-nabujoxidiponak-fusizazetu.pdf
    • http://mx0.hirtenbichel.de/uploads/1/3/0/5/130551944/jimasirelabe.pdf
    • http://cabacoa.com/uploads/1/3/0/5/130541924/vumumoj.pdf
    • http://commishkit.printemall.com/uploads/1/3/1/3/131398046/lotalesawapox_paguwot.pdf
    • http://hermeshaswings.com/uploads/1/3/0/2/130272282/lakopinevudeduje.pdf
    • http://640stonehouseln.com/uploads/1/3/0/5/130544968/d4191899a0a8c.pdf
    • http://positiviteeshirts.net/uploads/1/3/0/6/130604292/suxavak.pdf
    • http://chai-travel.com/uploads/1/3/0/4/130435947/5643568.pdf
    • http://mk6geography.com/uploads/1/3/1/3/131384718/e3c87a1b97f19.pdf
    • http://maelstrommaster.com/uploads/1/3/0/2/130270885/ff80ed8.pdf
    • http://privetst.com/uploads/1/3/0/9/130969153/sasowe_kemizofukikan_mejuzisini.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060c3.bin
75930d5b4a92148bcba1f5d3f94eba05e0b3faeab23345570507c304bda5448b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60C3 9920 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.