Malicious PDF — malware analysis report

Static analysis result for SHA-256 be73a91e75389920…

MALICIOUS

PDF

70.3 KB Created: 2020-03-11 10:47:52 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a4be39cf981ad8e335ff4e14016f959d SHA-1: 1e80abe25ed6685776262e69997e82b63ec6d2d2 SHA-256: be73a91e75389920fcfc8aff01e70b77742c4a8988a93bfe9fef7dc6eb4b9fdc
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ML classifier strongly supports the malicious verdict. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery or execution methods.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://chuzhappy.com/uploads/1/3/0/6/130621305/130621305.html#chinese+love+poem+english+translation
    • http://peragastronomie.com/uploads/1/3/0/5/130588257/5637449.pdf
    • http://freespiritleisure.online/uploads/1/3/0/6/130639532/vasigiwilefi.pdf
    • http://www.aminuteforlittlethings.com/uploads/1/3/0/6/130605216/pifikefov.pdf
    • http://silverlineinvestments.com/uploads/1/3/0/5/130542780/8a5bb553cd0.pdf
    • http://shofarart.com/uploads/1/3/0/6/130639896/d371003c0e.pdf
    • http://athleticspark.com/uploads/1/3/0/4/130476248/7ae3977adfafad.pdf
    • http://fri.center/uploads/1/3/0/4/130478602/2c46305c8abe7d.pdf
    • http://dry-2-go.com/uploads/1/3/0/6/130604505/3a325cd30f1.pdf
    • http://mazuz.net/uploads/1/3/0/4/130490665/5058705.pdf
    • http://rawk-cbd.online/uploads/1/3/0/5/130590738/500ecd89ae.pdf
    • http://peaksmobile.com/uploads/1/3/0/6/130639770/sirixev.pdf
    • http://www.cbamanagement.nl/uploads/1/3/0/9/130969536/bivowigu-nuwuludexolal-nikur-noreme.pdf
    • http://www.thevaultofgod.com/uploads/1/3/0/5/130589238/7805420.pdf
    • http://www.listmomla.com/uploads/1/3/0/6/130605509/2343495.pdf
    • http://ncdg.store/uploads/1/3/0/8/130813054/7578236.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000074f8.bin
74c37d666679fe656466b19f284680f6e9c2ab53d24d68a61acf23e764afe5d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74F8 7996 bytes
font_01_sfnt_off000093ca.bin
79c7fe5e380677dc97621353eb7dc966836eb0357d2eaf8087bc7460eb63d1d1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93CA 38612 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.