Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fb9998c56cc1634…

MALICIOUS

PDF

35.4 KB Created: 2020-04-15 10:20:24 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 97b32113633833732c8961c58c84485c SHA-1: ba798c98e07c7641214d7b32a110acf33c5f7e54 SHA-256: 8fb9998c56cc16346d5ac66bd121a7822666956d8dacafa82bdc5fe147b4b938
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are dynamically generated and point to potentially malicious content. The document body, though heavily obfuscated, contains references to URLs that appear to be part of a link farm designed to redirect users. The ML classifier strongly indicated maliciousness, supporting the conclusion that this is a malicious document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nntwholesaler.com/uploads/1/3/0/8/130874518/130874518.html#ciencias+naturales+5+primaria+santillana+pdf
    • http://startransformations.net/uploads/1/3/0/5/130588380/xiwukivimoxofum_bitikes.pdf
    • http://abominax.com/uploads/1/3/0/2/130287238/mupete.pdf
    • http://mattijsbuma.com/uploads/1/3/0/5/130539244/kedemitupefafiluti.pdf
    • http://mca718.com/uploads/1/3/0/4/130488754/kudoxigiwava.pdf
    • http://crimson-project.com/uploads/1/3/0/5/130551433/1e6fffa59.pdf
    • http://racomi.com/uploads/1/3/0/3/130323421/waxez.pdf
    • http://teambleau.com/uploads/1/3/0/7/130740464/nazejugivivuwifoz.pdf
    • http://janjetina.hr/uploads/1/3/1/4/131438873/e0bd5ab45f3476.pdf
    • http://jamilacreativehub.com/uploads/1/3/0/4/130489359/8497634.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005216.bin
1957428794578a072b8983e864e5701b52391162abfb2d6d14c6295fa8a16687		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5216 6444 bytes
font_01_sfnt_off000061d7.bin
0ebf0ae64db013db3842a4d2d40c62b9d7cca7ab6d91366b84382b343f8e618c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x61D7 8492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.