Malicious PDF — malware analysis report

Static analysis result for SHA-256 9370821259c08a41…

MALICIOUS

PDF

30.6 KB Created: 2020-03-24 05:40:48 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 07720e226a5233e46008c3963f1f3271 SHA-1: 204112879d4c2a79d1095482c633287ebf656ac8 SHA-256: 9370821259c08a413dbdd8aacc2a81dcc51f5fbd11dc2e7a9fbe709a7fcbba6c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information T1204 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO manipulation or to distribute malicious payloads. The 'PDF_SEO_LINK_FARM' heuristic specifically identifies this behavior, indicating a high likelihood of malicious intent. The ML classifier also strongly flagged this PDF as malicious. The embedded URLs are the primary indicators of compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://michaelwellsart.com/uploads/1/3/0/3/130323319/130323319.html#in+a+perfectly+competitive+industry+the+industry+demand+curve+is+horizontal
    • http://bcdcosmetics.com/uploads/1/3/0/3/130323453/zonoki.pdf
    • http://www.thecentristparty-co-uk.mypersuasions.com/uploads/1/3/1/1/131164007/4adcce8561.pdf
    • http://dotcomdotcomdotcomdotcomdotcomdotcomdotcom.com/uploads/1/3/0/8/130813428/xifunuwujumotuveleju.pdf
    • http://supportrequesternauth.info/uploads/1/3/0/6/130639173/903a5265.pdf
    • http://mrviolinsd.com/uploads/1/3/0/5/130540281/854d56.pdf
    • http://hartlawfirmpllc.com/uploads/1/3/0/2/130271031/wikapob.pdf
    • http://facialplasticsurgery.tips/uploads/1/3/0/5/130590047/lixisefiludeviviwu.pdf
    • http://christani.info/uploads/1/3/0/5/130589114/padolinevegotajovume.pdf
    • http://affiliatedtattoofamily.com/uploads/1/3/0/2/130274338/newopononedut.pdf
    • http://ryanbaldwin.ca/uploads/1/3/0/4/130436068/nakog_zezidujugud.pdf
    • http://shadowfinder.com/uploads/1/3/0/5/130589019/8125509.pdf
    • http://9f60dnj005.com/uploads/1/3/0/6/130639500/romodajafexoj-xavapabe-jixegubakivafu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005485.bin
5f6da518aebec120e21a4f29e0ec1c8ad87495f54e2dbb1223c9284c78f59fed		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5485 6044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.