Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0c3c277de947547…

MALICIOUS

PDF

31.2 KB Created: 2019-05-21 23:30:57 +03:00 Authoring application: ESP Ghostscript 815.02
MD5: 5b2a78394d7d77d99978152a5c952722 SHA-1: 0b8786d84ce812d88f296fda97aeac24e349cbac SHA-256: a0c3c277de9475475b1196c8c346c2a6b99b012af60ffbe19dfb7143f3ea4944
90 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded links to external PDF files, as indicated by the 'PDF_SEO_LINK_FARM' heuristic. The ML classifier also flagged the document as malicious. The primary attack pattern appears to be a link farm designed to manipulate search engine results or to distribute additional malicious content via the linked PDFs. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8405

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gorillawalker.com/life-magazine-april-18-1969.pdf
    • http://www.gorillawalker.com/space-exploration-fun-kit-dover-fun-kits.pdf
    • http://www.gorillawalker.com/principles-and-practice-of-relapse-prevention.pdf
    • http://www.gorillawalker.com/still-called-by-name-why-i-love-being-a-priest.pdf
    • http://www.gorillawalker.com/political-philosophy-empathy-and-political-justice-routledge-innovations-in-political.pdf
    • http://www.gorillawalker.com/by-american-map-corporation-student-s-bible-atlas-paperback.pdf
    • http://www.gorillawalker.com/42-low-carb-breakfast-recipes-kindle-edition.pdf
    • http://www.gorillawalker.com/the-sax-brass-book-saxophones-trumpets-and-trombones-in-jazz.pdf
    • http://www.gorillawalker.com/new-gcse-maths-complete-revision-practice-higher-for-the-grade.pdf
    • http://www.gorillawalker.com/cold-peace-stalin-and-the-soviet-ruling-circle-1945-1953.pdf
    • http://www.gorillawalker.com/spider-skirmish-black-white-creeper-combat-series-volume-3.pdf
    • http://www.gorillawalker.com/il-giardino-delle-mosche-italian-edition.pdf
    • http://www.gorillawalker.com/the-bloodstained-pavement-complete-unabridged-the-agatha-christie-collection-marple.pdf
    • http://www.gorillawalker.com/asp-classic-asp-membership-system-code.pdf
    • http://www.gorillawalker.com/structural-dynamics-theory-and-computation.pdf
    • http://www.gorillawalker.com/the-monster-in-my-closet-erotica.pdf
    • http://www.gorillawalker.com/the-harcombe-diet-for-men-no-more-mr-fat-guy.pdf
    • http://www.gorillawalker.com/testing-the-internet-of-everything.pdf
    • http://www.gorillawalker.com/1960s-timelines.pdf
    • http://www.gorillawalker.com/mojave-incident-inspired-by-a-chilling-story-of-alien-abduction.pdf
    • http://www.gorillawalker.com/highlights-of-tarot-boxed-with-colored-pencils-and-tarot-cards.pdf
    • http://www.gorillawalker.com/paraisos-fiscais-e-estrategias-empresariais-ensaios-sobre-investimentos-offshore-portuguese.pdf
    • http://www.gorillawalker.com/a-narrative-of-life-and-travels-in-mexico-and-british.pdf
    • http://www.gorillawalker.com/comparing-to-consign-digital-concordance-book-18-digital-concordance-of.pdf
    • http://www.gorillawalker.com/suddenly-free-rise-of-evil-volume-1.pdf
    • http://www.gorillawalker.com/nanostructured-thin-films-and-nanodispersion-strengthened-coatings-nato-science-series.pdf
    • http://www.gorillawalker.com/nclex-rn-drug-guide-300-medications-you-need-to-know.pdf
    • http://www.gorillawalker.com/down-the-crawfish-hole.pdf
    • http://www.gorillawalker.com/primer-of-drug-action-12th-twelfth-edition.pdf
    • http://www.gorillawalker.com/the-problem-with-survey-research.pdf
    • http://www.gorillawalker.com/tender-buttons-kindle-edition.pdf
    • http://www.gorillawalker.com/don-t-die-in-autumn-a-memoir.pdf
    • http://www.gorillawalker.com/icaew-audit-and-assurance-passcards.pdf
    • http://www.gorillawalker.com/making-your-own-cheese-how-to-make-all-kinds-of.pdf
    • http://www.gorillawalker.com/wave-kinematics-and-environmental-forces-papers-presented-at-a-conference.pdf
    • http://www.gorillawalker.com/holy-crimes.pdf
    • http://www.gorillawalker.com/chords-for-bass-bk-cd-musicians-institute-master-class.pdf
    • http://www.gorillawalker.com/suspicious-plants-at-walmart-kindle-edition.pdf
    • http://www.gorillawalker.com/curso-de-ortograf-a-i-el-uso-de-la-b.pdf
    • http://www.gorillawalker.com/developing-pentecostal-teens-a-covenant-to-nurture-our-children.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.