Malicious PDF — malware analysis report

Static analysis result for SHA-256 9832e1467ae04e0a…

MALICIOUS

PDF

37.6 KB Created: 2020-06-06 04:56:48 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c38c3d81bdc42ed6a004f1628744ba92 SHA-1: 15e7e4cb1ff0875dc491dc39f196ee2dd1ff41a7 SHA-256: 9832e1467ae04e0a9d535ca5674e723b687940c7e7554045e3020d6378878ed7
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

This PDF document was flagged by a machine learning classifier as malicious. It contains a large number of embedded external links, many of which point to other PDF files hosted on various domains. The primary URL found in the document body, http://wearmendmeshop.com/uploads/1/3/1/4/131453350/131453350.html#cell+phone+jammer, suggests a lure related to 'cell phone jammer' which is likely a deceptive topic to entice clicks. The overall structure indicates a link farm or traffic distribution scheme, common for distributing malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wearmendmeshop.com/uploads/1/3/1/4/131453350/131453350.html#cell+phone+jammer
    • http://store.inkandblood.com/uploads/1/3/0/5/130550782/donos.pdf
    • http://mail.bernadette-bluemel.at/uploads/1/3/1/4/131453268/bekakegusuv.pdf
    • http://himsr.psformation.com/uploads/1/3/1/4/131437937/tikek_nekedupipebi_piwalit.pdf
    • http://thedaddylife.com/uploads/1/3/0/8/130814122/2074589cc6d91.pdf
    • http://gardenrouteexploring.com/uploads/1/3/0/7/130776096/a8ee4376.pdf
    • http://hurricanecnc.com/uploads/1/3/0/9/130969114/f717eab.pdf
    • http://shaikblogs.com/uploads/1/3/1/3/131380511/zukekuzujonag.pdf
    • http://omahafoodguide.com/uploads/1/3/0/6/130639721/200128.pdf
    • http://wearmendmeshop.com/uploads/1/3/1/4/131453350/terms.html
    • http://wearmendmeshop.com/uploads/1/3/1/4/131453350/dmca.html
    • http://wearmendmeshop.com/uploads/1/3/1/4/131453350/policy.html
    • https://detakoxi.files.wordpress.com/2020/06/68584382045.pdf
    • https://xuzazafozot.files.wordpress.com/2020/06/8270998847.pdf
    • https://felaweve.files.wordpress.com/2020/06/jivapabufug.pdf
    • https://wiguzigeb.files.wordpress.com/2020/06/9043854226.pdf
    • https://sexedituf.files.wordpress.com/2020/06/bokitikepigoxonen.pdf
    • https://zivuwisi.files.wordpress.com/2020/06/tezekefopi.pdf
    • https://voluvatoru.files.wordpress.com/2020/06/kotagowiwinu.pdf
    • https://fobitogoxonu.files.wordpress.com/2020/06/36668376617.pdf
    • https://zurejopunigo.files.wordpress.com/2020/06/kolugodomuweriwedoxale.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066a4.bin
eebb6475ff5af9169c268c6c2952a8d913b344f070c7a03c75c9be04b66f8dea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66A4 10768 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.