Malicious PDF — malware analysis report

Static analysis result for SHA-256 ac1a9b8ca478f8c5…

MALICIOUS

PDF

41.7 KB Created: 2020-06-07 00:14:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b3d009ae82d82d7e5ef99dbe663923db SHA-1: 0dda4f9b4cddf9b87ac8b50186677f1993bbb262 SHA-256: ac1a9b8ca478f8c500f3f8fbbf42338485ba4e115de1992360975153e1603286
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

This PDF document was flagged as malicious by an ML classifier. It contains a large number of external links, a technique often used for SEO spam or to redirect users to malicious sites. The document body contains text related to 'book of mormon stories pdf' and mentions wkhtmltopdf, suggesting it might be part of a content generation scheme to create numerous pages linking to other sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lenspromtommaney.com/uploads/1/3/0/7/130740375/130740375.html#book+of+mormon+stories+pdf
    • http://webmail.themabusecode.com/uploads/1/3/0/7/130776553/biwax.pdf
    • http://211.bpmtc.com/uploads/1/3/0/9/130969200/3bccfee795.pdf
    • http://imalmeidaguimaraesepp.com/uploads/1/3/1/3/131383998/kutewezariniz.pdf
    • http://tarahharris.com/uploads/1/3/0/4/130477455/1397662.pdf
    • http://hostmaster.yogaforcalm.co.uk/uploads/1/3/1/4/131437293/1e1d5df1800b5.pdf
    • http://121centre.com/uploads/1/3/0/5/130539295/wepakatup_fizozadakoluwav.pdf
    • http://mta-sts.mail.fineartbyrachel.com/uploads/1/3/0/4/130491075/rodoraxok_fizokonabaxivo.pdf
    • http://ridgelinecontractors.com/uploads/1/3/0/7/130776245/fazegomafu-vaxafilus-galevijozawuf-segukovozi.pdf
    • http://jfmclinic.org/uploads/1/3/0/5/130543855/3960793.pdf
    • http://mail.stuijvesant.be/uploads/1/3/0/6/130639311/5338385.pdf
    • http://va-hardscapes.com/uploads/1/3/0/6/130620919/18bc39.pdf
    • https://vemupuki.files.wordpress.com/2020/06/geluvoxadiwinomonakupus.pdf
    • https://digaxiwifiko.files.wordpress.com/2020/06/4713350251.pdf
    • https://boselelu771269321.files.wordpress.com/2020/06/79038041093.pdf
    • https://pemamezili.files.wordpress.com/2020/06/91885330932.pdf
    • https://wakatox.files.wordpress.com/2020/06/mivuzumidolisesanadol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060b5.bin
a3cb2d4c7ef2690aabaf25b96e50ea625b6f22c9bbd8db3d18d982ad9657a08b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60B5 10448 bytes
font_01_sfnt_off000084b7.bin
1948eddceb6dd17134c62e6fa45c02e74ca7610f7e3e9cce171488535d122402		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84B7 16472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.