Malicious PDF — malware analysis report

Static analysis result for SHA-256 bdcf68ed20ae105e…

MALICIOUS

PDF

65.4 KB Created: 2021-03-30 05:15:54 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: c2001fe8fd55015559c77afbd93edbaf SHA-1: 138fc5cadb9d2b625f242a405e7bfe1489ff5ea3 SHA-256: bdcf68ed20ae105e82b3b41f2972f430d978472c94372ea59df9d279193e2fb7
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious by an ML classifier and contains a large number of external links, a technique often used for SEO manipulation or to distribute further malicious content. The document body, though heavily obfuscated, suggests a lure related to a 'vegetarian keto diet plan pdf'. The primary IOC is the initial URL used in the PDF, which appears to be part of a link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9724

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://kuzutuzo.ru/award?keyword=vegetarian+keto+diet+plan+pdf
    • http://ig-soft-team.com/danby_diplomat_mini_fridge_stopped_workingabaxl.pdf
    • http://xasedogamif.mypressonline.com/tofapome.pdf
    • http://xawegap.mywebcommunity.org/dixibex.pdf
    • http://peludofnor.fun/denon_avr_1905soc8u.pdf
    • http://vumajufeboxidik.mywebcommunity.org/cnidarios_e_poriferos.pdf
    • http://kengoru.space/vexit0rhsh.pdf
    • http://rubka.space/division_fractions_word_problems_worksheetsxivo0.pdf
    • http://virnet77.ru/gb70_boost_hd_jump_starter_instructions2tpyq.pdf
    • http://xuroriwonufuz.scienceontheweb.net/11537368723.pdf
    • http://menformula.xyz/acer_aspire_v5-571g_batterywxeq3.pdf
    • http://just-gopro.com/35457995180581rc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://0778d94d-b67d-49c3-8f6f-43f52d6edec9.filesusr.com/ugd/b85eb0_fc92a4ae726748f29faa7e43166a5bbf.pdf?index=true
    • https://s3.amazonaws.com/guwutivupudutu/adl_barthel_index_form.pdf
    • https://s3.amazonaws.com/lanaladu/bonino.pdf
    • https://s3.amazonaws.com/vojapu/kudalikixe.pdf
    • https://s3.amazonaws.com/gawabog/buxalopotimozizoseju.pdf
    • https://89f68ddc-9f98-4e60-8afa-3e0ca6603e9e.filesusr.com/ugd/4725f1_e174edb95a924fae8d64320730b70649.pdf?index=true
    • https://95fbbc11-640f-4658-acdf-6e09da746871.filesusr.com/ugd/e42ee3_eea92e4eb6504373a54c0d5f13fb61cc.pdf?index=true
    • https://2b01876c-5741-4e94-bfb6-30973e4a6517.filesusr.com/ugd/45d688_360e0a3067084f3780dd4a1ad7e619e8.pdf?index=true
    • https://s3.amazonaws.com/jefazaxal/ring_of_fire_map_investigation_worksheet.pdf
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f86e.bin
b57b662961cada9ba7b7da1b8c4c60913970b2aea65fd54b607eb2f793880f96		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF86E 5060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.