Malicious PDF — malware analysis report

Static analysis result for SHA-256 8c4135e09673599d…

MALICIOUS

PDF

35.1 KB Created: 2020-06-14 05:52:04 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 018cc5abdcaffa4d6e80b510f95d29a1 SHA-1: 52a0d43886c001eb86a974473d137a6c23c5f2b9 SHA-256: 8c4135e09673599d409cb6f275927eb877ab4b790bbe45b7b0607ec9f612978e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF document contains a large number of external links, a technique often used for SEO poisoning or to distribute further malicious content. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. No scripts were extracted, but the sheer volume of outbound links suggests a malicious intent to redirect the user to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://p7.undesirable.us/uploads/1/3/1/6/131606186/131606186.html#ezop+masallar%25C4%25B1+yazar%25C4%25B1
    • http://caninesmilellc.com/uploads/1/3/0/4/130435532/jofobarokeratid-pefizuzor-sajus-rubefulazatepe.pdf
    • http://frizzell.info/uploads/1/3/1/1/131164257/tibodo.pdf
    • http://webmail.wildthistlejewelry.com/uploads/1/3/0/6/130620436/dixuvolekir-gilelogaxila.pdf
    • http://seventastings.com/uploads/1/3/1/6/131637176/5267936.pdf
    • http://lespetitesnatures.net/uploads/1/3/1/3/131383553/genunuponovoja_xejonajexuzinun_rakonage.pdf
    • http://ipv6.leeuwardergitaarschool.nl/uploads/1/3/0/9/130969614/63535b8b41.pdf
    • http://thehillsbrokerageservices.net/uploads/1/3/0/5/130550910/jorabiri_kaxofojemire_bumovo_gufevovumi.pdf
    • https://zedipuxari.files.wordpress.com/2020/06/vuzulifugovixatasu.pdf
    • https://verisemi.files.wordpress.com/2020/06/sinevovuxafiwoti.pdf
    • https://tepaxazif.files.wordpress.com/2020/06/bapanew.pdf
    • https://pakuloxana895114244.files.wordpress.com/2020/06/japifupiw.pdf
    • https://tizemepaluw.files.wordpress.com/2020/06/11350967015.pdf
    • https://pofubozoseg580427017.files.wordpress.com/2020/06/34355654146.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005c61.bin
b3784d71404301232fc695a55bd5e7945879523700ae89add8b8fa40eea7e199		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C61 11208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.