Malicious PDF — malware analysis report

Static analysis result for SHA-256 beba79f50ace1406…

MALICIOUS

PDF

35.9 KB Created: 2020-06-07 15:05:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad6c4af16f3b70177ed8b79409228f70 SHA-1: 1c8b91b4e10bb2233e68631d6eedb24dc29af2ef SHA-256: beba79f50ace1406303d59c7b16db75f418e11aedd3be127ce2ec1aafbe211f7
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier also flagged this PDF as malicious with high confidence. The embedded URLs point to various domains, suggesting a link farm or distribution network. The document body text is garbled, but the presence of URLs and the heuristics strongly indicate a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shoppereviveinteriors.com/uploads/1/3/0/5/130590561/130590561.html#medeni+hukuk+pratik+%25C3%25A7al%25C4%25B1%25C5%259Fmalar%25C4%25B1+sera
    • http://steadyflossin.com/uploads/1/3/0/4/130476074/8757178.pdf
    • http://hr4slo.com/uploads/1/3/0/7/130775558/2575963.pdf
    • http://jllamericasgis.com/uploads/1/3/0/5/130590608/fuzupor_jolikon_lafulefakus_gaterarimugewe.pdf
    • http://aerialadvantagepoint.com/uploads/1/3/0/3/130313070/6b4bffff27339.pdf
    • http://jokerthief.vip/uploads/1/3/0/6/130622009/883377.pdf
    • http://bkmodz.com/uploads/1/3/0/3/130379342/5329198.pdf
    • https://novebagi.files.wordpress.com/2020/06/20704091644.pdf
    • https://tosuvodetevo.files.wordpress.com/2020/06/61104398751.pdf
    • https://rewanuzagi.files.wordpress.com/2020/06/64493027053.pdf
    • https://lovugamu.files.wordpress.com/2020/06/78206133881.pdf
    • https://mojalipo.files.wordpress.com/2020/06/piturateso.pdf
    • https://bisapabak.files.wordpress.com/2020/06/36999919964.pdf
    • https://kitafolek.files.wordpress.com/2020/06/77128064702.pdf
    • https://pitekule.files.wordpress.com/2020/06/xogavajilutaferegatofepox.pdf
    • https://jefofim.files.wordpress.com/2020/06/tosuwagasapepi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005db3.bin
825ad9661d910545129a30831b50be4b0654e08de28fb23012ae1c91ae4b8bec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DB3 11856 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.