Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4f5a4aa4f1b0f5c…

MALICIOUS

PDF

40.5 KB Created: 2020-04-22 10:48:30 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9f767b0991ea94b82f4b17fb9132dc74 SHA-1: ab8d21243d135672eac7788e7518ba6fa7df8698 SHA-256: b4f5a4aa4f1b0f5c057bb4b346db67143e7595cc6196b16dd63baba21f93e08b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body contains a reference to 'Naruto blazing apk mod 2. 11. 0', suggesting a lure for users searching for game modifications. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves redirecting users to these external URLs, which may host further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bicdiamonds.com/uploads/1/3/0/6/130620313/130620313.html#naruto+blazing+apk+mod+2.+11.+0
    • http://grupatech.com/uploads/1/3/0/6/130604523/3424962.pdf
    • http://northpacificsuppy.com/uploads/1/3/0/4/130478244/burewigaduzaw.pdf
    • http://beautyempirebundaberg.com/uploads/1/3/0/8/130813054/jivovitovelat-negarilejurana.pdf
    • http://allisondgarrett.com/uploads/1/3/0/7/130776684/pusakevaviribaviwi.pdf
    • http://splinteredmindprints.com/uploads/1/3/0/4/130476012/bewidar.pdf
    • http://haloaudiovisual.com/uploads/1/3/1/3/131382696/eede1522f7.pdf
    • http://jordanangeli.com/uploads/1/3/0/5/130588459/7969733.pdf
    • http://reliableattorneyserviceca.com/uploads/1/3/0/5/130589014/8954453.pdf
    • http://hashcare.com/uploads/1/3/0/8/130814258/d45c3e6b9904b5.pdf
    • http://meltingpalms.com/uploads/1/3/0/5/130588270/6963138.pdf
    • http://rskymediallc.com/uploads/1/3/1/4/131453698/1354775.pdf
    • http://quilpuecentro.com/uploads/1/3/0/4/130477245/weguzanisesesaz.pdf
    • http://dujamenterprise.shop/uploads/1/3/1/4/131406698/fezigesavepuwulorege.pdf
    • http://dtekautomotive.com/uploads/1/3/1/4/131406049/6950776.pdf
    • http://pearse.net/uploads/1/3/0/5/130543995/b442c9f.pdf
    • http://beautyempirebundaberg.com/uploads/1/3/0/8/130813054/jivovitovelat-negarilej
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000677c.bin
76bde43e906b51dc2bb23c2dbc2210ff09864e7fae5880aa495879c730fde86c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x677C 8016 bytes
font_01_sfnt_off0000868e.bin
885781ec91db75dc8c4a6a3d3dac0324bdfdb8f2239dab70466c62035ae072da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x868E 4144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.