Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b6a27d7fa5b2682…

MALICIOUS

PDF

32.1 KB Created: 2020-05-13 09:53:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a243db98e71305484307042c0641cd79 SHA-1: cf9762a8e590db7c77bd036690f685c7099f13bd SHA-256: 9b6a27d7fa5b2682dbffd1ec59eb44ec492c2d1774e4489250038eb758a7603c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1566.002 Spearphishing Link

The PDF file was flagged by an ML classifier as malicious. It contains a large number of external links, with the heuristic 'PDF_SEO_LINK_FARM' indicating a link farm strategy. The embedded URLs likely serve as lures or redirects to malicious content, contributing to a potential SEO poisoning or phishing attack. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ampedmps.com/uploads/1/3/1/4/131452947/131452947.html#garfield+2004+game
    • http://aancarpenter.net/uploads/1/3/0/2/130289431/xawos.pdf
    • http://thinkingreversemortgage.com/uploads/1/3/0/7/130739583/8358956.pdf
    • http://kincersnyder.com/uploads/1/3/0/9/130969616/zalipituxukorojam.pdf
    • http://irzconstructionltd.com/uploads/1/3/0/9/130969175/5592429.pdf
    • http://impormundocr.com/uploads/1/3/0/6/130639592/570612.pdf
    • http://v-kurser.dk/uploads/1/3/0/5/130539341/fijezodikojono-rokigof-jazunukip-kosumumabo.pdf
    • http://valentine85logisticscenter.com/uploads/1/3/0/5/130539987/09aec0c2.pdf
    • http://aphrozone.us/uploads/1/3/0/4/130488506/fitemigutibab-sonixiturukuti-wigiwotesomipa.pdf
    • http://mywebsiteinabox.com/uploads/1/3/0/4/130490643/eb458c.pdf
    • http://danielasantos.net/uploads/1/3/0/7/130739046/sabikufidasum.pdf
    • http://stoneleather.com/uploads/1/3/1/0/131070754/jisakebojiv-dowame-jogid-razafovojazelo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005215.bin
1455cfeff037b7929683faa3d6beff391f938b883f060a4b0d0ee49b1d4d396e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5215 10456 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.