Malicious PDF — malware analysis report

Static analysis result for SHA-256 945edd04d50fb6e3…

MALICIOUS

PDF

47.9 KB Created: 2020-04-09 13:56:39 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 98f0c6b445c095317909e001f04151dd SHA-1: 7808b923ac2c28012d6c23df5520e9bb5f71f931 SHA-256: 945edd04d50fb6e3dea3e438275d96c2706e704b935f578496ecc2c59364f3ab
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The ML_NYX_PDF_MALICIOUS heuristic also flagged this file with high confidence. The embedded document body text, though heavily obfuscated, contains URLs that are also listed in the extracted URLs. This suggests the primary purpose is to redirect users to a network of sites, likely for SEO spam or to host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://murraywhiteley.com/uploads/1/3/0/6/130621212/130621212.html#simple+linear+regression+in+matlab
    • http://eatdoughp.com/uploads/1/3/0/2/130271131/872ec34d03.pdf
    • http://leplaisirdevendre.com/uploads/1/3/0/6/130603928/fimajepi-riruje-reroxosa.pdf
    • http://patriotremodelingllc.com/uploads/1/3/0/4/130483337/5358486.pdf
    • http://huttohousepainting.com/uploads/1/3/0/2/130272524/c619642262cd.pdf
    • http://frenchiekissesxo.com/uploads/1/3/0/7/130776447/63a48af70b1.pdf
    • http://bonanzabehaviortracker.com/uploads/1/3/1/3/131378991/fd75a4b078bd.pdf
    • http://ttownpomsky.com/uploads/1/3/1/3/131379301/pukar.pdf
    • http://a113n.net/uploads/1/3/1/0/131070525/3fc7e742374b.pdf
    • http://frankwestproject.com/uploads/1/3/0/4/130488580/wobariwinatez.pdf
    • http://expwny.com/uploads/1/3/0/5/130543262/2539637.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000727f.bin
0fc27a81707651cf1f7b08b0e9062c519ce0ee7c0927ad67ee96fa0a9adbb300		 pdf-font-stream PDF embedded font (sfnt) at offset 0x727F 8056 bytes
font_01_sfnt_off000091a8.bin
4e9ae17c41f053e7ad2cff4c16f4465db96732130fdde230725ded2fe80853ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x91A8 3156 bytes
font_02_sfnt_off00009cc4.bin
5866edaad094271045800fc8caf6b7cd124443ffb116d222dc79737898b5109c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9CC4 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.