Malicious PDF — malware analysis report

Static analysis result for SHA-256 c2c658d506564666…

MALICIOUS

PDF

33.3 KB Created: 2020-04-13 17:15:19 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: aca9f32d651ae890944e1bed5fbca42c SHA-1: 0b05fd2373810d1b2965b4903ec95c20e9377bc6 SHA-256: c2c658d506564666c973820199a7f2085e8462307387ab51313d44f468b8c20e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to various domains, a technique often used for SEO link farms or to redirect users to malicious content. The ML classifier strongly indicated maliciousness. The document body contains fragments of text and URLs, suggesting a lure related to 'Bethel music album free zip'. No scripts were extracted, but the PDF structure itself is used to host and distribute links to other potentially malicious PDF files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9981

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://meshayla.com/uploads/1/3/0/4/130476516/130476516.html#bethel+music+album+free++zip
    • http://littlestofthings.com/uploads/1/3/0/3/130379430/kafegetik_rofuxuso_rolexiliber_koridobaw.pdf
    • http://nmaer.org/uploads/1/3/0/5/130588951/507800a158da.pdf
    • http://utopiamind.com/uploads/1/3/0/7/130776852/df78ea9d88378.pdf
    • http://shutupandvote.org/uploads/1/3/1/4/131407965/7e707ec223eb7.pdf
    • http://robertsonfinephotography.com/uploads/1/3/0/6/130639634/9fd92d25ebc.pdf
    • http://johnnycabinets.com/uploads/1/3/1/4/131407267/be2b54761.pdf
    • http://belfastdrivered.com/uploads/1/3/0/7/130738944/godomemese.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051f9.bin
ab9f3c6e795f9eff18992aa147aa14e7b7921cb4aee9f2401fb322bdd1eaf8d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51F9 7640 bytes
font_01_sfnt_off00006fea.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FEA 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.