Malicious PDF — malware analysis report

Static analysis result for SHA-256 c303cae349b0cf97…

MALICIOUS

PDF

70.5 KB Created: 2020-05-07 02:15:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 047bba9f71e9eacf57039e00bf9bc1cd SHA-1: ddc9ae2171bcd2769647c9abe5d6d5f1fd2f2bba SHA-256: c303cae349b0cf975b5d25db98fa6231e04583f6d06d8032044a11d89ae5c22a
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, identified as a link farm. The primary purpose appears to be redirecting users to various PDF documents hosted on different domains. This technique is often used for SEO manipulation or to distribute malicious payloads. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of the direct user-facing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8574

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://gatostf.org/uploads/1/3/1/1/131164506/131164506.html#oxford+atlas+map+book+pdf
    • http://vaporinklounge.com/uploads/1/3/0/8/130873856/vikevased-kizumeji.pdf
    • http://autoenrolmentadviser.xyz/uploads/1/3/0/5/130550785/vovogewu.pdf
    • http://hood4goodlive.com/uploads/1/3/0/2/130292125/51f2bd5be78d630.pdf
    • http://talkingtoseniors.com/uploads/1/3/0/7/130739782/1284968.pdf
    • http://gregwbaker.com/uploads/1/3/1/3/131379781/913e08.pdf
    • http://stimulationsamenopweg.com/uploads/1/3/1/6/131606509/gibakuxidikibos-jelomu-bozoti-xudunejuxinu.pdf
    • http://cfo2sb.com/uploads/1/3/0/6/130639953/bunifujaweror.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_004_off0000db60.bin
533d09e1cedaf86b811f83940124f9c0d07bf4eab27c03e14b0007e1f8bcfa11		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDB60 17472 bytes
font_00_sfnt_off0000a823.bin
40ef96da86b6123d577d475be460de15c41b9ca7393a8e650be4e9942aa3c64b		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA823 3720 bytes
font_01_sfnt_off0000b385.bin
b6d669e5378e02ab91d12799d2db201db8983a85d9efb6f2850a7ad4808ae433		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB385 11644 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.