Malicious PDF — malware analysis report

Static analysis result for SHA-256 b1079d2e2edbf37a…

MALICIOUS

PDF

34.2 KB Created: 2020-04-06 05:41:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a0af151b2833602fe2b3fd2668e4fff9 SHA-1: d37e7999263aa689c2f6291791792185c899e67b SHA-256: b1079d2e2edbf37a273c885698d7e2780923de6f802e85632fff9637c970ed91
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links to various domains, a technique often used for SEO poisoning or to redirect users to malicious content. The ML classifier strongly indicated maliciousness. The document body, though heavily obfuscated, contains references to the URLs found in the heuristics, suggesting a coordinated effort to distribute content across multiple domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rollputz.net/uploads/1/3/0/5/130590456/130590456.html#club+de+ciencias+autonomia+curricular+preescolar
    • http://lflbdemocrats.com/uploads/1/3/0/5/130551487/mupun-xizupofobebuzi-pekuzuvevix.pdf
    • http://aldoggettmaine.com/uploads/1/3/0/6/130605497/tujuferifoxifakux.pdf
    • http://bordersbootcamp.com/uploads/1/3/0/8/130874408/rabojiwutonipi.pdf
    • http://nilsravalvecoverracing.com/uploads/1/3/0/7/130775515/pixidikavenimum.pdf
    • http://richryanphotography.net/uploads/1/3/0/9/130969561/857db6c329b5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005aa5.bin
ac51da3ce6436376b79e1ad1c9f9539ab6eff3c8ee43f5300b227c0aa70483ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5AA5 8704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.