Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab7becf6c33ea9f8…

MALICIOUS

PDF

84.2 KB Created: 2020-04-13 00:07:51 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a45311c8750498070e8540c0192d8924 SHA-1: e9ecf9704aa0ae6171a14b5bf8782af3a508d290 SHA-256: ab7becf6c33ea9f81ecd88419db819a43236c9164f88ca32d1ce439ab1cedbfe
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.003 Phishing: Spearphishing via Service Provider T1204.002 Malicious File: User Execution: Malicious File

The PDF contains a significant number of external links, many of which point to similarly structured URLs on different domains. This pattern is indicative of a PDF link farm, often used for SEO poisoning or to redirect users to malicious content. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, and the document body contained only garbled text and metadata.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9635

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://preecelightning.com/uploads/1/3/0/5/130539108/130539108.html#ave+ave+ave+maria+ave+ave+maria
    • http://bluelinescharters.com/uploads/1/3/0/5/130551754/zurujidamege.pdf
    • http://stratoenterprises.com/uploads/1/3/1/4/131437017/zulagagakawopujewo.pdf
    • http://grow-residual-income.com/uploads/1/3/0/6/130639181/8346858.pdf
    • http://donatetoanimalrescue.org/uploads/1/3/0/4/130435590/a88f361cd3.pdf
    • http://centrohegan.com/uploads/1/3/0/7/130739595/famasexa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000eaad.bin
25eb88f10c4cb7afb6b2b17dfc7ccb80a744690c4dc84081f5a893510d641f52		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAAD 12480 bytes
font_01_sfnt_off000111d5.bin
edff44ce6068149644d685b4171b6400b9a516b0b8fb8b10cdbe6be40b48f7e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x111D5 8232 bytes
font_02_sfnt_off00012a64.bin
860e837b9e949dc8599ad72d46853a99cb9ecb16cb5833d27707ae3fcae605b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12A64 18236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.