Malicious PDF — malware analysis report

Static analysis result for SHA-256 b62175cc9ba1f5a5…

MALICIOUS

PDF

40.1 KB Created: 2020-03-21 16:43:51 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a4396198ce6ee8f6b063f3c76dd60e50 SHA-1: c2187c795c389761d845af3a7841889f2d19de55 SHA-256: b62175cc9ba1f5a57091fb61c9bf7c4bb201df55d7d57325da06ca40d0d377e6
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to other PDF files hosted on various domains. This pattern is indicative of SEO spam or a link farm used to distribute malicious content or drive traffic. The ML classifier strongly supports the malicious verdict. No scripts were extracted, limiting the ability to determine specific payload delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wdfilms.org/uploads/1/3/0/7/130739053/130739053.html#clasificacion+de+heridas+segun+el+agente+causal
    • http://oceanpsalms.com/uploads/1/3/0/8/130814843/xogomen.pdf
    • http://www.gssalon-jp.com/uploads/1/3/0/8/130813317/d2c2f14e127.pdf
    • http://split-quick.com/uploads/1/3/0/4/130488539/9d668f2789.pdf
    • http://autodiscover.data-in-harmony.com/uploads/1/3/0/8/130814172/rufuvukamigakujisag.pdf
    • http://nicoleolsthoorn.com/uploads/1/3/0/2/130272295/nilunugerenemof.pdf
    • http://hostmaster.jbhealth.co.uk/uploads/1/3/0/8/130874470/nedet-zejozuvaxijopik-tozevozil.pdf
    • http://hostmaster.newyorker.beer/uploads/1/3/0/6/130604769/kivasutexot.pdf
    • http://pholmes-iplaw.com/uploads/1/3/0/4/130483900/tomowupufaxan_ronagos_gavojirivonofi.pdf
    • http://campuscircle.org/uploads/1/3/0/3/130379391/20b5d.pdf
    • http://www.gebainflow.com/uploads/1/3/0/2/130270745/458766b50be6.pdf
    • http://davidmichaeldesigns.com/uploads/1/3/0/6/130603903/donobepunefizoveseki.pdf
    • http://neulip.net/uploads/1/3/0/5/130542734/177013.pdf
    • http://www.preparetobvowed.com/uploads/1/3/0/5/130551013/bivadu.pdf
    • http://juggernautpublications.com/uploads/1/3/0/6/130621312/1dcaa850d.pdf
    • http://madwellkale.com/uploads/1/3/0/4/130488399/musoluwujotow_solotu_jirajas.pdf
    • http://jillmansfieldinteriors.com/uploads/1/3/0/5/130588419/gotaro_kaxalid_pofukeladepukam.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000711f.bin
6a814aa46a1b2fcba52a6007ebf0809776922283918a7d44d33e4252ce37b730		 pdf-font-stream PDF embedded font (sfnt) at offset 0x711F 8936 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.