Malicious PDF — malware analysis report

Static analysis result for SHA-256 a6ac62fb4b0021a2…

MALICIOUS

PDF

44.6 KB Created: 2020-03-29 09:39:51 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ac7b3c58283a5ae6395044214f98a1b0 SHA-1: 17c8e845f495c9ba1036d6e5a6e13446cd022187 SHA-256: a6ac62fb4b0021a2e0da7e5b584c29e0add2eeb0a3c6b381f1aed8d9e3751689
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness. The primary attack pattern involves luring users to external URLs hosted on domains like techtable.co and 74-123-78-154.mgwnet.com, which likely serve further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-78-154.mgwnet.com/uploads/1/3/0/6/130621997/130621997.html#insertar+lineas+para+escribir+en+word
    • http://techtable.co/uploads/1/3/0/7/130739459/xolexurabamesadu.pdf
    • http://kcmoliere.com/uploads/1/3/1/4/131437743/9244468.pdf
    • http://joyofsyntax.com/uploads/1/3/0/5/130590770/6769557.pdf
    • http://numberandcognition.com/uploads/1/3/0/4/130435629/9807121.pdf
    • http://freevideos.gardeninghq.net/uploads/1/3/0/7/130739068/27bf052e53.pdf
    • http://www.dnasoup.net/uploads/1/3/0/5/130550736/rudujeluxut.pdf
    • http://jeremygrant.ca/uploads/1/3/0/8/130874120/kotaxaribewazaz.pdf
    • http://www.wandaquiltwithme.com/uploads/1/3/0/5/130546937/pusimuvulefige.pdf
    • http://naileddailycom.com/uploads/1/3/0/8/130813797/8660843.pdf
    • http://highschoolenglishonline.com/uploads/1/3/0/6/130621527/linowumikavaga.pdf
    • http://thomasryan.co/uploads/1/3/0/2/130270911/1835966.pdf
    • http://anic.ca/uploads/1/3/0/2/130270898/0d7f48736.pdf
    • http://gainesville-estate-law.com/uploads/1/3/0/8/130873944/jerepaxa.pdf
    • http://hostmaster.northeastlupus.org.uk/uploads/1/3/0/7/130775651/zojipu_nelorem.pdf
    • http://amomilanoleather.com/uploads/1/3/0/5/130538931/1981256.pdf
    • http://charissaanggita.com/uploads/1/3/0/7/130775598/cad3fab729ab.pdf
    • http://bootlegeggs.com/uploads/1/3/0/5/130547450/d68661f21c.pdf
    • http://gensphereapp.com/uploads/1/3/0/8/130874153/7e58bf33c806.pdf
    • http://mikaelpettersson.net/uploads/1/3/0/5/130589373/pijove-kawuzoditi-dupijevixupol-jabefed.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f5d.bin
9e3f08d510814402c87bcccad40b70badaca89d44693ab8cb756f4261fbd4b6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F5D 8256 bytes
font_01_sfnt_off00008dd5.bin
57b11507310a54ac1804785031a6c50e3b77163964f97d9b63d647909f1b8434		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8DD5 16088 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.