Malicious PDF — malware analysis report

Static analysis result for SHA-256 abeb68c4bf885e47…

MALICIOUS

PDF

35.5 KB Created: 2020-04-09 14:03:38 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a810e14ad876779f8718739ff0a9f78d SHA-1: 3c789f1b565b33477482c00a7b95760e1daa4dec SHA-256: abeb68c4bf885e4768f807926cc427be2540183a5addca278b1ae4914528f4ab
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are numerically or generically named, suggesting a link farm or SEO spam operation. The document body, while containing garbled text, includes a title related to psychological reports and embeds URLs that point to other PDF files or HTML pages. The heuristic 'PDF_SEO_LINK_FARM' strongly indicates this malicious intent. The primary goal appears to be driving traffic to these external sites, potentially for malicious advertising, phishing, or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rentalpropertylendinggroup.com/uploads/1/3/0/6/130604233/130604233.html#como+elaborar+un+informe+psicologico+laboral
    • http://allyourteeth.com/uploads/1/3/0/7/130739686/xelusosoteritemip.pdf
    • http://greenghostheroacademy.com/uploads/1/3/1/4/131454440/poguwuriravugu_monububufuj.pdf
    • http://silverspume.com/uploads/1/3/0/9/130970005/20c5904805d4d.pdf
    • http://famouscutzbarbershop.com/uploads/1/3/1/3/131384362/8566cf2352dfc.pdf
    • http://matrenover.com/uploads/1/3/1/1/131163841/c16178.pdf
    • http://motortour.online/uploads/1/3/0/7/130740508/lunalikoti-gifafisud-perezijubopo.pdf
    • http://seeky.site/uploads/1/3/0/5/130539987/8372867.pdf
    • http://je-salvador.info/uploads/1/3/0/6/130604574/597d9213.pdf
    • http://konkursalesztuka.pl/uploads/1/3/0/5/130551805/3415854.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000064c4.bin
a0dad40b8027a1caac8e512c4b9724a56c746429667d8ae3bacca8aa0c2c93df		 pdf-font-stream PDF embedded font (sfnt) at offset 0x64C4 7216 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.