Malicious PDF — malware analysis report

Static analysis result for SHA-256 c523d37bd457bd1a…

MALICIOUS

PDF

49.2 KB Created: 2020-04-19 00:17:51 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a68089a22d5ed0f70986d7080ec5b8f1 SHA-1: 082908559de431a18e6880793225e0411b77a6f0 SHA-256: c523d37bd457bd1a4c6eb3cd6ace88cc5af24c99359f4b3691fff9f66927353b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links to various domains, a technique often used for SEO manipulation or to distribute further malicious content. The ML classifier strongly indicated maliciousness. No scripts were extracted, and the document body text is heavily obfuscated, making it difficult to determine a precise user-facing lure beyond the presence of the links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://maryredden.com/uploads/1/3/0/3/130379292/130379292.html#asuran+tamil+movie+theme+music+free
    • http://whsflag.com/uploads/1/3/0/8/130813953/5678423398ec.pdf
    • http://agustinsanchez.blog/uploads/1/3/0/7/130738790/f9c45.pdf
    • http://o2smallhouses.com/uploads/1/3/0/6/130605159/6867061.pdf
    • http://back40ministry.com/uploads/1/3/0/2/130289154/5576388.pdf
    • http://ynoga.com/uploads/1/3/0/8/130814284/zizumakukedevod.pdf
    • http://sorrentobobcatandlandscaping.com/uploads/1/3/0/7/130775455/e0f14aeaa29befc.pdf
    • http://bulldogcleaningservice.com/uploads/1/3/0/3/130313228/wizolozulewux_netoke_bedanoxozuxi.pdf
    • http://surfcampcotejax.com/uploads/1/3/1/1/131164260/kajinupadul.pdf
    • http://hodkinsongardendesign.com/uploads/1/3/0/7/130738482/1971025.pdf
    • http://chandlersublease.com/uploads/1/3/1/6/131606169/9754539.pdf
    • http://restorativejuveniledetention.org/uploads/1/3/1/4/131438667/timonulawuwovuwofek.pdf
    • http://moderndemure.com/uploads/1/3/0/8/130873833/leradaberus-wodivikum.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f48.bin
e94e7d7faae384be988df986233cf8b35dfb097c6c87ec8ea4bf36b16a30d583		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F48 15812 bytes
font_01_sfnt_off00008aea.bin
7f380211484bde5281bbd44f77497022faf0bcce490b0d5ef4f64715688acd31		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8AEA 7580 bytes
font_02_sfnt_off0000a880.bin
85f98c69eaf105b792cfd07809229b213445e2154ac83828e05877331abe88ae		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA880 4056 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.