Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0a435d5630dffe3…

MALICIOUS

PDF

140.9 KB Created: 2020-06-12 04:03:51 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01d6b41d7becb4c99c362a030770d553 SHA-1: fcfcf370e03e7fd00961b2d0e3dedc96e32d8439 SHA-256: c0a435d5630dffe34fc8578d73f081d513693d8876006575475afbdf6bdd3a32
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to similarly structured URLs on different domains, suggesting a link farm or SEO poisoning tactic. The document body, though heavily obfuscated, contains a reference to 'Parliaments of different countries pdf' and a URL that matches one of the extracted external links. This indicates the document's primary purpose is to redirect users to potentially malicious content hosted on these external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9643

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hostmaster.kiloactivewear.com/uploads/1/3/1/0/131070979/131070979.html#parliaments+of+different+countries+pdf
    • http://parkersphotoart.co.uk/uploads/1/3/0/8/130813999/873546c89e33.pdf
    • http://theinvestmentsalesgroup.com/uploads/1/3/0/2/130270799/binore-mamekaravuzatu-powapovitewoki-gilasoresitav.pdf
    • http://mail.saskiateunisse.nl/uploads/1/3/1/4/131411245/9f09c.pdf
    • http://ohiooutdoorweddings.com/uploads/1/3/0/7/130738797/zusaropexalarov.pdf
    • http://undercovernetwork.com/uploads/1/3/0/7/130740242/7864329.pdf
    • http://deltaaviationoxygen.com/uploads/1/3/0/4/130489159/parusada_kolot.pdf
    • http://cowgirlmeat.com/uploads/1/3/1/4/131437044/44bce.pdf
    • http://danseicook.com/uploads/1/3/0/4/130483050/tizolukujotu.pdf
    • http://myetinfo.com/uploads/1/3/0/7/130739026/1625169.pdf
    • http://obsessedwithcare.com/uploads/1/3/0/4/130493714/1783666.pdf
    • http://greatrecessframework.org/uploads/1/3/0/3/130323600/acefb8901d7759.pdf
    • http://cookiecrumbleslimes.com/uploads/1/3/0/8/130814761/mukewo.pdf
    • https://gezuduropen419134146.files.wordpress.com/2020/06/jubime.pdf
    • https://lorujoxomejo.files.wordpress.com/2020/06/fekujeriparu.pdf
    • https://ritiduka.files.wordpress.com/2020/06/xenagobisa.pdf
    • https://mudopepomof.files.wordpress.com/2020/06/ravotivevisap.pdf
    • https://jufovab.files.wordpress.com/2020/06/zakerugatojefosomupiwo.pdf
    • http://maoz.dss.ucdavis.edu/uploads/1/3/0/6/130639792/xojugugixovod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 10

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0001ccfa.bin
0bab6dff48bc4fa67c2f45b8e68117a4e3cced4dfdd1bf78fe93383bb160eecc		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x1CCFA 26100 bytes
font_00_sfnt_off0000fd58.bin
fbb4367c009c0e5ae30423e0d705f0d5976d7a83aae9d5a3ae86a6f1632b3a59		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFD58 10096 bytes
font_01_sfnt_off00011f69.bin
468e1c180ba9ad0a38d4d43edd18156eb8aec1aff206d1ca26b8d0ee2f899690		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11F69 4728 bytes
font_02_sfnt_off00013073.bin
0d73d740ea58c2c2254eb4e2bad8aa4d58062e2511a738e296f3f7bd3c9a9f9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13073 4840 bytes
font_03_sfnt_off00014050.bin
bd6185bdcb2a481bc507425af478e88aa736061fa72544908f90ca156cfbf7e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14050 12752 bytes
font_04_sfnt_off00015d0f.bin
2b086584b00300d3404db6f1cc65773eb6c20eb97e739ef83f4e57bfa37c8d6f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15D0F 7992 bytes
font_05_sfnt_off0001736a.bin
87ff2501be7e0309a4d2209ea5c26a80fce47ff96d02be5362063d12f35fcbe1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1736A 8236 bytes
font_06_sfnt_off00018d8e.bin
ddb6a08b73fe0ec79b89a52cab69dc84403aaf0ab0f5745fa1abe6bc3b56b1ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x18D8E 24160 bytes
font_08_sfnt_off0001fdfb.bin
dd6713ed59872f26fbd11551622cd377f653be5c7f9a9af891f68680a979c847		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FDFB 4420 bytes
font_09_sfnt_off00020eb3.bin
84a6efc0dda9f0c2a7f399712c821982fc11cf32f06eb77efdda63d924edde4d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20EB3 6492 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.