Malicious PDF — malware analysis report

Static analysis result for SHA-256 8dd9d626ec604eb9…

MALICIOUS

PDF

38.0 KB Created: 2020-03-29 10:17:23 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bb862e2ce9379891f0ab8663c1ad0bfc SHA-1: 50194df8a6c2ecd08b122076159768c4e44714c7 SHA-256: 8dd9d626ec604eb983dde5f7b4265e15aaf7eef83ca95caab1a4a4d9643ae541
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a common technique for SEO poisoning or redirecting users to malicious sites. The document body, though partially corrupted, references a classification of metals and non-metals, likely a lure to disguise the malicious intent. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webdisk.collegedemsatiu.com/uploads/1/3/0/5/130588246/130588246.html#clasificacion+de+metales+no+metales+y+metaloides+en+la+tabla+periodica
    • http://www.budsbakeryboston.com/uploads/1/3/0/7/130740480/zekadoxigelezilepiba.pdf
    • http://baddecisionland.com/uploads/1/3/0/5/130539841/6f64f1.pdf
    • http://www.hartfordplumbingandwaterheaterbusiness.com/uploads/1/3/0/8/130873998/sokugajala.pdf
    • http://1-800events.com/uploads/1/3/0/5/130551417/9214666.pdf
    • http://koonyagarlicfestival.com/uploads/1/3/0/5/130588336/2434053.pdf
    • http://spiritualdirectionminstry.com/uploads/1/3/0/9/130969291/836b62da66.pdf
    • http://noblegoldens.com/uploads/1/3/0/8/130874679/18cf9b7e84ae.pdf
    • http://creativemusicclassrooms.com/uploads/1/3/1/4/131407300/561ba7a1.pdf
    • http://openedapples.net/uploads/1/3/0/3/130324063/nobilopoxikabarutag.pdf
    • http://epicgrouptours.net/uploads/1/3/0/3/130379333/xukopu_poberirajuzimuf.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068f9.bin
e48d9790f08caad4f00896540b72eb5671e149939d4e7493d5e892af717b3fc4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68F9 8640 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.