Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0591e64bb9b6c36…

MALICIOUS

PDF

29.5 KB Created: 2020-05-20 05:40:08 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 98a8141ceaf9b1bad9170119ffe0bd07 SHA-1: 006742e61cd294c2a4eb1b56e4b643f08a8a9278 SHA-256: a0591e64bb9b6c365fb7a243a769e04b0c310cdba81934745c8d859ca1f218ce
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or redirection scheme. The ML classifier also strongly indicated maliciousness. The document body text, though partially corrupted, contains references to book titles and authoring application details, which are likely decoys to mask the malicious intent of redirecting users to external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sleepytraveler.net/uploads/1/3/0/6/130603978/130603978.html#krugman+economia+internacional+10+edicion
    • http://balanceplus.dk/uploads/1/3/1/4/131483006/wiveve.pdf
    • http://nexts-lab.com/uploads/1/3/0/3/130313198/2506488.pdf
    • http://alandunster.com/uploads/1/3/0/5/130551971/2354547.pdf
    • http://solarline.org/uploads/1/3/0/6/130639439/rekasepobiref-xagowapeso.pdf
    • http://maryredden.com/uploads/1/3/0/5/130588951/6153177.pdf
    • http://haciendaguaraguao.org/uploads/1/3/0/4/130476270/832d8.pdf
    • http://therestaurantfixer.com/uploads/1/3/1/4/131483337/tuwupik.pdf
    • http://ekajaparidze.com/uploads/1/3/1/3/131379524/8856975.pdf
    • http://superiorhealth.club/uploads/1/3/0/7/130739577/7f1977.pdf
    • http://butjob.com/uploads/1/3/0/4/130483285/f8ebe96a9a23.pdf
    • http://smashtattoos.com/uploads/1/3/0/8/130873995/zukalojitime.pdf
    • http://propertyspecialistnc.com/uploads/1/3/0/7/130738740/kinafigones_dezaverusuwono.pdf
    • http://deannaheathrealty.com/uploads/1/3/0/6/130604327/gewijisow.pdf
    • http://mylifewater.nl/uploads/1/3/1/8/131858108/55f26c20df1c.pdf
    • http://eluic.com/uploads/1/3/1/1/131163879/8b04ec5d5af4415.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000487d.bin
5e29243e3ad583bbc37a7b4a7cae8e8b5bc2b5cc64c805623e4d1d8b04bdad8f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x487D 9884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.