Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf7c1f33ad914742…

MALICIOUS

PDF

34.5 KB Created: 2020-06-16 09:47:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af704ec6b307d1afeb89c23dc2237724 SHA-1: 9b8806512f71eac9d99e88327eab368022da9f0f SHA-256: bf7c1f33ad914742bcc281feb6b70962e99b74146d58180b4dc41da852f441cc
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which point to other PDFs hosted on similar domains. The document body text explicitly mentions 'Download cissp pdf', suggesting a lure to download malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous SEO-like PDF links indicates a potential link farm for distributing malware. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://youngcelebrationsoflife.ca/uploads/1/3/0/7/130775730/130775730.html#download+cissp+pdf
    • http://preventivemedicalservice.com/uploads/1/3/0/7/130740563/aaf3c0292.pdf
    • http://urgenthousecalls.com/uploads/1/3/0/7/130776105/bipapexejenoza-mulaxefinen-vorimubirari-disuxoli.pdf
    • http://autodiscover.twistedblendz.com/uploads/1/3/1/4/131437233/tulaparalege.pdf
    • http://flipyourthreads.net/uploads/1/3/0/8/130873946/wuzavam.pdf
    • http://juliehetherington.com/uploads/1/3/1/4/131453056/mewiwoxitidulubu.pdf
    • http://mail.speluqueros.com/uploads/1/3/0/5/130550910/87509f0f841.pdf
    • http://sydney.awrc.org.au/uploads/1/3/0/6/130604355/7b593c1.pdf
    • http://michkah.com/uploads/1/3/0/6/130605203/54186eb5de.pdf
    • http://glwwnet.com/uploads/1/3/0/4/130483515/popurujojebex.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f9c.bin
338e0659f8c6992b6d08a888beba6e0ddd2a7350f3445b3d9e978590d8415064		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F9C 9224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.