Malicious PDF — malware analysis report

Static analysis result for SHA-256 989df73875acf6d1…

MALICIOUS

PDF

95.6 KB Created: 2020-04-07 10:40:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a8f4ffae4606f6d34e53f1c9b2adec88 SHA-1: 8cb9cfd9aec807baff5c85a99940da82902ec433 SHA-256: 989df73875acf6d173c28bbe6c05f0e4e85f12fce1b3811ff000f326d6788748
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, indicating a link farm or redirection to malicious content. The ML classifier strongly suggests maliciousness. No scripts were extracted, limiting the ability to determine specific payload delivery or persistence mechanisms. The primary attack pattern appears to be the distribution of numerous external links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wthsnz.com/uploads/1/3/0/6/130620395/130620395.html#1.2+conceptos+fundamentales+sobre+cad%2Fcam%2Fcae%2Fcim
    • http://adih.biz/uploads/1/3/0/4/130476978/mutekipogelami-desujib-fixifabekoxami.pdf
    • http://sellwoodrealtor.com/uploads/1/3/0/5/130589277/dd47c7492.pdf
    • http://chiemiko.com/uploads/1/3/0/5/130588518/603291.pdf
    • http://pressplayhampshire.com/uploads/1/3/0/7/130776402/pejowezumaz.pdf
    • http://mobilecdi.com/uploads/1/3/0/5/130550971/2848532.pdf
    • http://sameershroff.com/uploads/1/3/0/9/130969671/57490c.pdf
    • http://knbnproduction.com/uploads/1/3/0/5/130589252/bizavula.pdf
    • http://glencastleinformation.com/uploads/1/3/0/4/130435583/7832643.pdf
    • http://pilates4womenonly.com/uploads/1/3/0/4/130476413/2251548.pdf
    • http://amios.info/uploads/1/3/0/6/130605149/ruzijedorup.pdf
    • http://vikingband.org/uploads/1/3/1/3/131380973/5700792.pdf
    • http://v12artists.com/uploads/1/3/0/5/130551202/muvikozaxupipol-mofur-dopaliluvaviko.pdf
    • http://urban-resilience-benchmarker.com/uploads/1/3/0/7/130738681/9681513.pdf
    • http://justminty.com/uploads/1/3/0/7/130738972/saxivek_gakaziwekotuna.pdf
    • http://kinneretyogatraining.com/uploads/1/3/1/1/131164067/gikimamawu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011914.bin
eb8cf970f7fbc00a6c6a3e60a1f2416a280371eb4fe4c509803b0d51b5f2ff70		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11914 1888 bytes
font_01_sfnt_off000121b7.bin
339008a1f28591df7e6a0a0b08ad24e23162ce5dcf02e98d27b4d82c204cf8ef		 pdf-font-stream PDF embedded font (sfnt) at offset 0x121B7 11864 bytes
font_02_sfnt_off00014abf.bin
d0eed65f4ddeab6515752ab2c51e78c4b86cbfa31b0fe086017b9e8dd9caaacc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14ABF 4280 bytes
font_03_sfnt_off0001585f.bin
ddc6c38a5929b263b215a5b0c7aa8b1a409f146866f06980111f9f21a6232bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1585F 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.