Malicious PDF — malware analysis report

Static analysis result for SHA-256 b01c72b0518d1d8b…

MALICIOUS

PDF

46.9 KB Created: 2020-04-09 14:19:13 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a49cf76a76f2e785a6712e021d305450 SHA-1: 34c5613ceedc74b86b322c6059e637c10ed60f2d SHA-256: b01c72b0518d1d8b36e2d5dd12fde0c9128e2ff6723da904f84ec2bb7d1fba72
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness. The document body mentions 'Disco duro 250gb samsung ssd 970 evo m.2 2280', suggesting a lure to disguise the malicious links as product information.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://razerupin.com/uploads/1/3/0/2/130289481/130289481.html#disco+duro+250gb+samsung+ssd+970+evo+m.2+2280
    • http://pathwaysto.org/uploads/1/3/0/5/130538836/77c9f99dd.pdf
    • http://bethrabin.com/uploads/1/3/0/4/130435986/zedugopuritaba.pdf
    • http://vectordancecompany.com/uploads/1/3/1/4/131406506/17e45e748b5.pdf
    • http://bitchutedirectory.com/uploads/1/3/0/5/130590496/nupetaresotipo.pdf
    • http://readytorideinc.com/uploads/1/3/0/3/130313323/b01a15afb96042.pdf
    • http://moneywhileyousleep.us/uploads/1/3/0/5/130589251/5067781.pdf
    • http://vbslawnandgardenservices.com/uploads/1/3/1/4/131407351/lifopaguzov.pdf
    • http://lets-split.com/uploads/1/3/1/4/131437957/65097e6.pdf
    • http://ibrafertil.com/uploads/1/3/0/8/130813756/jesibipeluzu-fopunivexoludap.pdf
    • http://johnwinogrocki.com/uploads/1/3/0/5/130589267/3324206.pdf
    • http://zohreh.us/uploads/1/3/0/2/130271001/buvegopu.pdf
    • http://ladiffproprete.net/uploads/1/3/0/9/130969529/287940.pdf
    • http://warmnightcandles.com/uploads/1/3/0/7/130739782/ea2e9.pdf
    • http://rebelplantationhuntclub.com/uploads/1/3/0/6/130620859/b7f273424450.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074be.bin
6222cbf755240d84fd1477b0feb5b095f391c8abccdafcfc829d1eecaf617b29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74BE 9312 bytes
font_01_sfnt_off0000968f.bin
2b57b2f7c8f3bc38d05bd7e1919dcd7d971d606ce90b2da6579e55cc4e86234a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x968F 16260 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.