Malicious PDF — malware analysis report

Static analysis result for SHA-256 b6c14b6ab698614f…

MALICIOUS

PDF

48.4 KB Created: 2020-03-24 20:42:31 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c2f87a46404b2673355ba3dd47f5ce58 SHA-1: 106dd2e9eac7678afcd154b0ab199afeeb4e8eb7 SHA-256: b6c14b6ab698614f84e1f15cafd460f3d1245f651b0a10c4b6d8eee680b21497
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF file was identified as malicious by an ML classifier. It contains a large number of external links, many of which point to SEO-optimized PDF files hosted on various domains. The primary attack pattern appears to be the creation of a link farm designed to drive traffic to these external resources, potentially for advertising fraud, SEO manipulation, or to host further malicious content. No scripts were extracted, limiting the analysis of direct payload delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://opssecurityagency.com/uploads/1/3/0/8/130874296/130874296.html#ficha+de+trabajo+de+medidas+de+tendencia+central
    • http://typingthevoid.biz/uploads/1/3/0/6/130639703/325b70326b390.pdf
    • http://rekacekap.com/uploads/1/3/0/5/130550814/bilorutejune-defow-xewiramo-nuper.pdf
    • http://b4uburn.com/uploads/1/3/0/5/130539244/lojukejalugurev.pdf
    • http://www.inspirechest.com/uploads/1/3/0/4/130483981/binipejibizapax.pdf
    • http://womens-weight-loss-and-fitness.com/uploads/1/3/0/9/130969407/ed702.pdf
    • http://www.wacosignal.com/uploads/1/3/0/9/130968949/pazajanif-pasovi-lubasamuxes-tusawopowovuge.pdf
    • http://locketsmeadowproduce.com/uploads/1/3/0/6/130620612/9624985.pdf
    • http://backcountry.blondinenterprises.com/uploads/1/3/0/5/130543757/bdd2b32b61361d.pdf
    • http://sems4acultureoflife.org/uploads/1/3/0/9/130969695/lonujidupekofu.pdf
    • http://piecesbyparkers.com/uploads/1/3/0/6/130639506/vavifefuvukik_xuvesagudivu_lifadobopere_dinoded.pdf
    • http://craiglambertmath.com/uploads/1/3/0/4/130476370/7457362.pdf
    • http://aretefin.com/uploads/1/3/0/5/130590243/361a370f6dc2ec.pdf
    • http://artlynchcoaching.org/uploads/1/3/0/9/130969097/sasozujejisigidoxut.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000916e.bin
8c056a329213cfa037a7d0e4a1c9f636fe41945d4f843a471cb770877495a7a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x916E 9244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.