Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b1ba448865dad50…

MALICIOUS

PDF

38.7 KB Created: 2020-05-19 04:53:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3234d5d2d57521a0a747b98aa90a3ed SHA-1: bea00327f28f1b79650711246fc1575ee04c7e12 SHA-256: 9b1ba448865dad50a83752c1e25b3cbf41a852e4042a98c2d8c3bbf47dd0ecf6
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file exhibits characteristics of a link farm, containing numerous external URLs that point to other PDF documents. The heuristic 'PDF_SEO_LINK_FARM' indicates a large number of these links, suggesting a tactic to manipulate search engine results or distribute content across many domains. The ML classifier also flagged this PDF as malicious with high confidence. No scripts were extracted from this sample, and the document body is heavily obfuscated, making it difficult to determine a specific user-facing lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://khpottery.com/uploads/1/3/1/0/131071196/131071196.html#treasure+seekers+visions+of+gold+wal
    • http://cirugiadrabelgonzalez.com/uploads/1/3/0/2/130270747/ade1ce95a2d4da3.pdf
    • http://spreadsheetsmadesimple.com/uploads/1/3/0/5/130539074/namilatafi.pdf
    • http://stetsonoperaproject.com/uploads/1/3/0/7/130775883/wejoj.pdf
    • http://nancylipschultz.com/uploads/1/3/1/4/131410434/1699506.pdf
    • http://teslaxcom.com/uploads/1/3/1/8/131856446/2015621.pdf
    • http://lifewerkes.com/uploads/1/3/0/5/130543870/3062842.pdf
    • http://mgmcosmetics.net/uploads/1/3/0/5/130546432/jupudinofazam_gokenomovuro.pdf
    • http://proficientorganizing.com/uploads/1/3/1/0/131070291/348f21bb2be3.pdf
    • http://leapsandboundstravels.net/uploads/1/3/0/7/130776693/molagijo-dubuziza-zopivex.pdf
    • http://yourweddingsolutions.com/uploads/1/3/0/4/130436313/10a11be2c4f26.pdf
    • http://thegeeksupreme.com/uploads/1/3/0/6/130620926/bokodobugevudun.pdf
    • http://convlva.com/uploads/1/3/0/6/130603761/7012864.pdf
    • http://christinecc.com/uploads/1/3/0/7/130776891/a0371d.pdf
    • http://emeraldtrianglefarm.info/uploads/1/3/0/4/130489423/317385efbcd.pdf
    • http://colombiamines.com/uploads/1/3/0/7/130740497/tuleriduxalog.pdf
    • http://healthsolutionscr.net/uploads/1/3/0/7/130738837/kosuvi-leruwipomibijaf.pdf
    • http://panoramic09-navisl.com/uploads/1/3/1/4/131438129/gavakodemesu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c30.bin
e9c403f8e6c20763c5201b699a5ac86b0ad6160776989043d86b11e95195fa26		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C30 10228 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.