Malicious PDF — malware analysis report

Static analysis result for SHA-256 9e4066216d622d24…

MALICIOUS

PDF

36.8 KB Created: 2020-05-18 16:39:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a3978d80d9beac2f8c98fba0fce1b922 SHA-1: 2e4aecf9abbe7f027e1219aada5b6d763fc51684 SHA-256: 9e4066216d622d245008bc5d2e9ebbc8c5bb190d94371f4d5fa80335c2fb24f5
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier also strongly indicated maliciousness. The document body contains text related to 'Houses plans images' and embedded URLs, suggesting a lure to external content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jaysblogs.com/uploads/1/3/1/3/131384777/131384777.html#houses+plans+images
    • http://hayleyharlanddesign.com/uploads/1/3/1/3/131398109/rinonewutoz_regolatomov.pdf
    • http://neonglobal.org/uploads/1/3/0/6/130639569/7449987.pdf
    • http://jbheslip.com/uploads/1/3/0/7/130775151/dee9bb07.pdf
    • http://shells-creative.com/uploads/1/3/1/6/131637365/d73aea9f.pdf
    • http://cattledogcoffeeroasterstogo.com/uploads/1/3/0/9/130969938/lavusatuz.pdf
    • http://dehempify.com/uploads/1/3/1/3/131380505/wineful.pdf
    • http://latinoalliance.net/uploads/1/3/1/4/131438265/3037859.pdf
    • http://bikehirehuntervalley.com/uploads/1/3/0/5/130551630/gojiratovupuxem.pdf
    • http://schwartzgroup-mi.com/uploads/1/3/1/4/131483400/6df2e7277066.pdf
    • http://thecreativityspace.com/uploads/1/3/1/3/131383546/64a335b964.pdf
    • http://krishnareddy.de/uploads/1/3/0/5/130588809/c9ea53236351.pdf
    • http://crystalenergyprotects.com/uploads/1/3/0/2/130289154/9521d.pdf
    • http://rue28.com/uploads/1/3/0/4/130483215/gozamas.pdf
    • http://jplusdancecrew.com/uploads/1/3/0/6/130639533/zajaperoxebebetenag.pdf
    • http://greenbuiltroof.com/uploads/1/3/0/7/130738666/7803311.pdf
    • http://mynouvellelune.com/uploads/1/3/1/6/131637043/6ef3a51.pdf
    • http://collectivedreamllc.com/uploads/1/3/0/8/130874433/b60cbd.pdf
    • http://pjmaciasimagines.com/uploads/1/3/1/1/131164027/fowitexeg.pdf
    • http://newmarlboroughfiber.org/uploads/1/3/1/3/131380063/35eebb01.pdf
    • http://solarscrappers.com/uploads/1/3/0/2/130289441/323eb9e8a7.pdf
    • http://lyanatavel.com/uploads/1/3/0/6/130639157/5270330.pdf
    • http://curranttech.co/uploads/1/3/0/5/130590092/254a89642269.pdf
    • http://shaolinwahnam-zenbusiness.com/uploads/1/3/1/1/131164425/9751387.pdf
    • http://sunitamedium.com/uploads/1/3/1/0/131071181/1f9fa6.pdf
    • http://matthewoneil.net/uploads/1/3/0/6/130621713/5010013.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006612.bin
590c1361bd2532b6080cb5d07f601e7009c9acb32e862eda2c4154c0af11241d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6612 9744 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.