Malicious PDF — malware analysis report

Static analysis result for SHA-256 977acba6389058a0…

MALICIOUS

PDF

45.1 KB Created: 2020-03-13 02:12:44 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: be61ba64e35582a80cfb83488f7d1387 SHA-1: b70f1dbe0a3b566e4ce92e213b3b092ca9bddb4c SHA-256: 977acba6389058a0f67435396dbe744180985123cfa77665744dde36eb18d0ae
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document exhibits characteristics of a link farm, with a heuristic firing indicating a mass of external PDF links. The document body contains a URL that points to a page discussing operating system deadlock recovery methods, which is likely a lure. The primary intent appears to be directing users to a network of potentially malicious websites through these numerous embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://host144.carmichaelnl.com/uploads/1/3/0/2/130289232/130289232.html#mention+various+recovery+methods+for+deadlock+in+os
    • http://r-ewolucje.com/uploads/1/3/0/4/130476940/5118915.pdf
    • http://odinsolutionsintl.net/uploads/1/3/0/5/130588289/3cddaf9a4b2f25.pdf
    • http://autodiscover.wildthistlejewelry.com/uploads/1/3/0/8/130874330/kikanamanelidebumadi.pdf
    • http://placementservices.com.jm/uploads/1/3/0/7/130776755/5624773.pdf
    • http://ottawasmortgagebroker.ca/uploads/1/3/0/7/130740026/fazizewagut.pdf
    • http://besthawaiilandscaping.com/uploads/1/3/0/4/130489019/musupusovofik.pdf
    • http://www.aphroditesbeauty.co.uk/uploads/1/3/0/6/130640200/relijinefazu.pdf
    • http://jbcomputerfreelancing.com/uploads/1/3/0/6/130640162/8259151.pdf
    • http://thisisbinding.com/uploads/1/3/0/6/130604040/7981887.pdf
    • http://www.phonesystemswellington.co.nz/uploads/1/3/0/7/130776366/468500.pdf
    • http://thenycreview.com/uploads/1/3/0/4/130489367/pezogar.pdf
    • http://cesun2018.org/uploads/1/3/0/5/130590532/balirezofezexi.pdf
    • http://www.thompsonmelo.com/uploads/1/3/0/4/130435857/304b98da847e0f.pdf
    • http://www.carolinadancecollaborative.com/uploads/1/3/0/7/130776247/vopatabibe.pdf
    • http://cutlovelee.com/uploads/1/3/0/8/130814914/aabd67b29.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000681e.bin
138ddb8e39c6642ddc4a1b2fcf06643681671e4c5ad27089b670f4eb57c828ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x681E 8036 bytes
font_01_sfnt_off0000873c.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x873C 2652 bytes
font_02_sfnt_off000090a5.bin
f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90A5 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.