Malicious PDF — malware analysis report

Static analysis result for SHA-256 aeaf5ed3103e4dd2…

MALICIOUS

PDF

37.9 KB Created: 2020-03-28 12:56:19 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: be1c76c50013cbd464a47cee6c01a65f SHA-1: c5a107938d5eca8ed429e07e2440d4a3fab4c7be SHA-256: aeaf5ed3103e4dd2f6c78600f2b81c64fbb1a2b3d06ab3c28d8808e6958e55e6
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a deceptive message about an error code and charges, intended to trick the user into clicking a link. This link, along with numerous others embedded in the document, leads to a large farm of external PDF files, suggesting a link-farming or SEO abuse tactic. The ML classifier strongly flagged this PDF as malicious, and the presence of many external links supports this assessment.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://visitmojave.org/uploads/1/3/0/3/130313320/130313320.html#error+code+387+further+text+messages+will+be+charged+to+your+account
    • http://www.kraftedcoffeellc.com/uploads/1/3/0/9/130969648/9894314.pdf
    • http://drewwatsonpups.com/uploads/1/3/0/7/130776676/vigin.pdf
    • http://curaanimanum.com/uploads/1/3/0/6/130604739/c828204ce8.pdf
    • http://guide2pifs.com/uploads/1/3/0/6/130604675/gopobemagek-sokepobive-tidenow.pdf
    • http://dronecoaches.com/uploads/1/3/0/6/130639364/c6743c02600a99.pdf
    • http://adaptiveplanningconsultant.com/uploads/1/3/0/2/130289774/4324364a2.pdf
    • http://www.thomasbanfield.com/uploads/1/3/0/7/130776611/9179328.pdf
    • http://baddazzbikes.com/uploads/1/3/0/8/130814219/lowun_vojafino.pdf
    • http://mta-sts.mx.metropolitanreport.com/uploads/1/3/0/3/130379506/wiriri_mumadelekukax_nijipemexut_mosejenejige.pdf
    • http://hauganefrukt.no/uploads/1/3/0/6/130621603/927179.pdf
    • http://m23drivercpc.net/uploads/1/3/0/7/130775023/refifexiwe.pdf
    • http://allcelebrations.co/uploads/1/3/0/6/130639333/9061105.pdf
    • http://jackiecheuvront.com/uploads/1/3/0/2/130291536/rametaw.pdf
    • http://teachleosa.com/uploads/1/3/0/2/130273623/f0713413.pdf
    • http://industryr.com/uploads/1/3/0/6/130620767/8eb02a6e5b277.pdf
    • https://forums.crackberry.com/showthread.php?t=527197&s=cfd03752bfee114cc8b452fa1c16f93e&p=5
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • https://forums.crackberry.com/showthread.php?t=527197&s=cfd03752bfee114cc8b452fa1c16f93e&p=5
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006aa7.bin
06e82f09eb1521220ed13fc9f0a70fb31a73ea95c03bd0ba2ec2078020e7d2a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AA7 7956 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.