Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd53525beaa0733e…

MALICIOUS

PDF

78.9 KB Created: 2020-03-29 12:49:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a3808daacea80ac73fc03fd47ce28879 SHA-1: 0c6ddd1ca06706265159dddee61e0e4373b234d7 SHA-256: bd53525beaa0733e1bd56e86fd7880ffe5520f3df30885cab53fbee546e35e94
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many pointing to other PDF files, suggesting a link farm or SEO manipulation tactic. The document body, though partially corrupted, contains a title related to engineering and references wkhtmltopdf, indicating it was likely generated programmatically. The ML classifier strongly flagged this PDF as malicious. The primary intent appears to be directing users to external websites through a deceptive document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://annotalegal.com/uploads/1/3/0/4/130483474/130483474.html#aplicaciones+de+las+derivadas+en+la+ingenieria+de+sistemas
    • http://elevatedmasonry.com/uploads/1/3/0/5/130588384/64c98c73384e.pdf
    • http://sundayandpoppy.com/uploads/1/3/0/5/130550770/femelakules.pdf
    • http://alltogethereats.com/uploads/1/3/0/8/130874388/6076953.pdf
    • http://shushu.shopping/uploads/1/3/0/5/130589243/a3548b771692.pdf
    • http://preciouspiggiecooks.com/uploads/1/3/0/7/130738693/8992765.pdf
    • http://smile4ivy.com/uploads/1/3/0/4/130494289/1673151.pdf
    • http://www.villannabella.com/uploads/1/3/0/3/130379415/mawilowa.pdf
    • http://vapebypost.com/uploads/1/3/1/1/131164313/3706606.pdf
    • http://dreammakerkerb.com/uploads/1/3/0/6/130640078/naxidapuze_sovuwivewux.pdf
    • http://insightintoleadership.com/uploads/1/3/0/3/130323461/1893185.pdf
    • http://artisansounds.com/uploads/1/3/0/6/130621193/61edc0d8f14.pdf
    • http://bjsmooreliquor.com/uploads/1/3/0/8/130874326/6441621.pdf
    • http://hitekmaster.net/uploads/1/3/0/6/130640145/802087.pdf
    • http://bonaventure-ins.com/uploads/1/3/0/6/130621780/4e130fd2c.pdf
    • http://simplybeautifulnl.com/uploads/1/3/0/6/130621443/433ff445.pdf
    • http://christinaduvarney.com/uploads/1/3/0/5/130551416/menomevovukili.pdf
    • http://vangarderenranch.us/uploads/1/3/0/5/130588159/vonemineza_bejaworuda_filowu_gojuvegapusarej.pdf
    • http://lgbtq-kc.net/uploads/1/3/0/6/130603811/5734604.pdf
    • http://oosternieland.net/uploads/1/3/0/2/130271201/801dc7cc40.pdf
    • http://costaribas.com/uploads/1/3/0/6/130605165/8a7207.pdf
    • http://jdmomentsphotography.com/uploads/1/3/0/6/130621989/mowagef-gojibuvokosopi-tajijawolutike-newiwes.pdf
    • http://brianwdesigns.com/uploads/1/3/0/5/130590511/f3c03b75214b1.pdf
    • http://capfriendsnra.org/uploads/1/3/0/6/130604502/57a8f871b4aaa.pdf
    • http://bradgoodsontutoring.com/uploads/1/3/0/3/130323335/pevoweduluxozi.pdf
    • http://bestvisualinterpreting.com/uploads/1/3/0/7/130740025/df06ba60792a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000dc01.bin
7df88723569d4193f530fe437fb919d713328a77de93ba1b94bee14e62ba1f6b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC01 1712 bytes
font_01_sfnt_off0000e3dd.bin
9066a2bcb12901a49afbac275d13a9591a5586341b1c9216a5f7e87a7bba8edf		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3DD 11480 bytes
font_02_sfnt_off00010b89.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10B89 2652 bytes
font_03_sfnt_off000114f2.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x114F2 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.