Malicious PDF — malware analysis report

Static analysis result for SHA-256 92a1a6a309de46b6…

MALICIOUS

PDF

41.8 KB Created: 2020-04-22 15:58:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: d36a75314d7ef208354b2b175a45e2f1 SHA-1: 66ba0fbb15b205ab5aa50cbc51cd67798a4b497c SHA-256: 92a1a6a309de46b62a651ea46186a52bc460bd279147794fb7713da6658f54d1
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body contains a reference to 'Chupke chupke full movie in hd', suggesting a lure to attract users. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves directing users to external sites, likely for SEO spam or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9919

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PDFSyntaxError. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ezbreezycbd.com/uploads/1/3/0/2/130271205/130271205.html#chupke+chupke+full+movie+in+hd
    • http://bodybybode.com/uploads/1/3/0/5/130551089/6558448.pdf
    • http://jgbframes.com/uploads/1/3/0/6/130620792/moxonufab.pdf
    • http://lawrenceprestonmusic.com/uploads/1/3/0/2/130289774/savigizi-gawen-xugataxupeti-fusopibakufu.pdf
    • http://afriquemediagroup.com/uploads/1/3/0/3/130379228/pegoragugujutur.pdf
    • http://triamantdigital.com/uploads/1/3/0/6/130604720/mexeniminuteve.pdf
    • http://deiondramarketing.com/uploads/1/3/0/5/130589222/f41cbe1.pdf
    • http://briannacloss.com/uploads/1/3/0/4/130435556/7792036.pdf
    • http://jessshades.com/uploads/1/3/1/4/131452811/ff1019e.pdf
    • http://homesweethomedecornmore.co/uploads/1/3/0/7/130776755/91c73.pdf
    • http://thesuccesssquad.net/uploads/1/3/1/4/131452987/zufipal.pdf
    • http://losrancherosdallas.com/uploads/1/3/0/9/130969808/3572303.pdf
    • http://capecodpolos.com/uploads/1/3/0/6/130603803/xesomuwefadinuxit.pdf

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006811.bin
7585cf7c1de005a6521578d6bf7623c2e19e2bb4d2250fdc40236e82b4b46a66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6811 9988 bytes
font_01_sfnt_off00008b45.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B45 2652 bytes
font_02_sfnt_off00009473.bin
750c92fa1db5810c6de6b1040e9c0837d38486580b44de1cde3f2eb8b8040d63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9473 6664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.