Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0689af07e4b3ff9…

MALICIOUS

PDF

15.9 KB Created: 2020-04-05 11:28:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: fb431093cd8c7dd0c8c2b68293e7de47 SHA-1: caf2d1be1fa7a3de4364c87cdd0738ea67e6a4fa SHA-256: c0689af07e4b3ff9a40973c2ed3f73b2e8ed49daa4e181d6f32ffbaf52cc50d8
112 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF is identified as an image-only lure, containing minimal text and a clickable action that directs to an external URL. This structure is typical of phishing campaigns aiming to trick users into visiting malicious websites. The document body contains obfuscated text and multiple embedded URLs, suggesting a link farm designed to distribute traffic to various potentially malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9534

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Image-only document with action trigger (screenshot lure) medium PDF_IMAGE_LURE
    PDF has 1 image(s), only 0 text block(s), carries a click-outward action, and is only 15 KB — typical shape of a phishing lure where a full-page screenshot hides a clickable button that launches or submits to an attacker URL.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://floorfitni.com/uploads/1/3/0/5/130588850/130588850.html#gestion+de+procesos+de+negocio+pdf
    • http://pamswaycreations.com/uploads/1/3/1/3/131381109/kiguvid_polutoko_supopodu.pdf
    • http://redeemeryouth.net/uploads/1/3/0/6/130621952/8369337.pdf
    • http://alittlegroomroom.org/uploads/1/3/0/4/130476214/3159386.pdf
    • http://njeventind.info/uploads/1/3/0/6/130604789/gunumibu_fawobur.pdf
    • http://atlasaces.com/uploads/1/3/0/4/130488741/557f8b5b.pdf
    • http://simplecatholicism.org/uploads/1/3/0/3/130323934/7003884.pdf
    • http://aikidokenkyukaipennsylvania.org/uploads/1/3/0/5/130589374/sedozumowi_matodejaposo.pdf
    • http://msielectricalsupplies.com/uploads/1/3/0/6/130639537/1033642.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.