Malicious PDF — malware analysis report

Static analysis result for SHA-256 b62d4e14e12e87dd…

MALICIOUS

PDF

44.9 KB Created: 2020-04-10 22:40:30 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a8a0dff1abe524ff405c25bfb9f8fa80 SHA-1: dbcad5ad71cc280a7a75400f67b96e237901bad4 SHA-256: b62d4e14e12e87ddb059235758344ab591320ce9fc71b49b7cb0f8a8f84245d8
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numeric slugs pointing to PDF files, indicating a link farm for SEO manipulation or to host malicious content. The document body mentions a 'Brother dcp- t500w scanner driver', likely a lure to entice users to click the embedded malicious links. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webmail.pottybrake.com/uploads/1/3/1/3/131381411/131381411.html#brother+dcp-+t500w+scanner+driver
    • http://rongeskeyjr.com/uploads/1/3/0/6/130620691/sexomuwefidevilozap.pdf
    • http://therustyroostermarketplace.com/uploads/1/3/1/0/131071063/jodejisobososedetu.pdf
    • http://kadrome.site/uploads/1/3/1/3/131383916/4647109a6758.pdf
    • http://andreamarryphil.com/uploads/1/3/0/9/130969372/9b6ddacb.pdf
    • http://trueattireco.com/uploads/1/3/0/2/130287547/devivoxuvinobob.pdf
    • http://anipa.org/uploads/1/3/0/6/130603936/papelowinesu_rilezopapij_xakol.pdf
    • http://mundoartecom.com/uploads/1/3/0/2/130271001/5138347.pdf
    • http://movingtherightway.net/uploads/1/3/0/2/130292148/795599.pdf
    • http://prettylittlesecrets4you.com/uploads/1/3/0/4/130475965/2514032.pdf
    • http://multisplash.com/uploads/1/3/0/4/130484005/4731611.pdf
    • http://bootcampbites.org/uploads/1/3/1/1/131164414/jajofod.pdf
    • http://aarstudiomasters.com/uploads/1/3/1/4/131406118/5c2373f80.pdf
    • http://christianscully.com/uploads/1/3/0/6/130604631/bifaluresubuxos_safada.pdf
    • http://creginvestmentsllc.com/uploads/1/3/0/2/130271245/pipakokez.pdf
    • http://mnsbearings.com/uploads/1/3/0/9/130969308/7159504.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079b2.bin
232624b6c39fbc94af9ff0f34ae1d79fd9b550a01cb8b36791d8c0ad98e5b987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79B2 9532 bytes
font_01_sfnt_off00009c3b.bin
9c441396c78fcec381b139909df8eae4e3e4b3b77c9f9e3b7c3f2073b33ed4b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C3B 2616 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.