Malicious PDF — malware analysis report

Static analysis result for SHA-256 9d97a07b251b8dd5…

MALICIOUS

PDF

55.7 KB Created: 2020-04-09 13:44:35 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: d1f9777cbb27bece8b82ee7f4836a488 SHA-1: 7e1ff11a36d27fde42e63d19706b8c4942108ee3 SHA-256: 9d97a07b251b8dd5e8ac9415d798b46d7783e522330c042a2ed135ea74f283ca
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. The embedded URLs suggest a campaign focused on driving traffic to a network of potentially compromised or malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9936

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://skyebase.org/uploads/1/3/0/5/130543134/130543134.html#amigdalitis+pediatria+gpc
    • http://bitars.biz/uploads/1/3/0/6/130621238/32ae64875bef4e.pdf
    • http://halldesigngroup.org/uploads/1/3/0/6/130639038/1194136.pdf
    • http://doit.ac/uploads/1/3/1/3/131381135/titilefutonibupitor.pdf
    • http://promisewed.com/uploads/1/3/0/6/130604804/c812e41733e5.pdf
    • http://superherorunmwc.org/uploads/1/3/0/2/130292073/ramotumamakim-mewifob.pdf
    • http://cabacoa.com/uploads/1/3/0/4/130483703/6544431.pdf
    • http://yuqingqiao.com/uploads/1/3/0/6/130604342/xuxebetitisa.pdf
    • http://jf1850.com/uploads/1/3/0/5/130543771/6795890.pdf
    • http://sellerswebb.com/uploads/1/3/0/6/130621781/jozejivovarekuz_niperemotakil.pdf
    • http://andersonqualityconsulting.com/uploads/1/3/0/4/130489132/junitowu-jumojig-finirenire-wamaka.pdf
    • http://usmicroproducts.online/uploads/1/3/0/6/130639895/8425a34f22.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b644.bin
e5ddf392bcc9a1c30dd288b046f7135e9eea4747b25688f558e102643ffad968		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB644 8888 bytes
font_01_sfnt_off0000d657.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD657 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.