Malicious PDF — malware analysis report

Static analysis result for SHA-256 c7a894d812dc55f0…

MALICIOUS

PDF

40.5 KB Created: 2020-05-25 03:58:39 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8bc8fe9e9ac67658f718dd5b3f2878a SHA-1: 7c810be73d2f160b6bedf3a0c9d0dd79b92d8174 SHA-256: c7a894d812dc55f0c60c20522e38888bf8fe3048b43b66229688a57cf84da7df
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to PDF files with numeric slugs, indicative of a link farm or SEO spam campaign. The document body, though heavily obfuscated, contains references to a service manual and the tool used to generate the PDF, suggesting a deceptive lure. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent to drive traffic to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://paganiproperties.com/uploads/1/3/0/6/130620882/130620882.html#onida+ultra+slim+tv+service+manual
    • http://jamesshop.net/uploads/1/3/1/4/131453134/f7c30.pdf
    • http://midsouthpsychservices.net/uploads/1/3/0/5/130588790/fanalowivo-tafajisixox.pdf
    • http://rareresourceshk.com/uploads/1/3/0/4/130476378/6100e8.pdf
    • http://host50.carmichaelnl.com/uploads/1/3/1/3/131398182/79157a817aa63.pdf
    • http://weddingflower.florist/uploads/1/3/0/4/130435962/xivipoxuxebuzezav.pdf
    • http://fontoil.com/uploads/1/3/0/6/130604112/jitotevi.pdf
    • http://mx.livingapostles.com/uploads/1/3/0/6/130639947/8204532.pdf
    • http://nationsrcm.com/uploads/1/3/0/6/130620819/5663464.pdf
    • http://vdcsolar.com/uploads/1/3/0/6/130604903/e874d.pdf
    • http://mikelongestates.com/uploads/1/3/0/5/130550703/4424857.pdf
    • http://ritaauerbachpainting.com/uploads/1/3/0/7/130775675/ae032e2d1906c9.pdf
    • http://operationlucia.org/uploads/1/3/1/0/131070829/55c582eb.pdf
    • http://joethomasoncomedy.com/uploads/1/3/0/4/130435706/8722600.pdf
    • http://978weddings.com/uploads/1/3/0/6/130604018/cc264d.pdf
    • http://memorieslk.com/uploads/1/3/0/7/130775795/d05d7864fd28ae4.pdf
    • http://vycareer.org/uploads/1/3/1/4/131437402/lekevedisi.pdf
    • http://churchinsiouxfalls.org/uploads/1/3/0/6/130604173/redutovereduno_satugirojuxozob_rovumu_zixititejonirat.pdf
    • http://onenacplusrealestatellc.com/uploads/1/3/1/6/131637686/05586c07709c4fb.pdf
    • http://lakehouseatlakeofthewoods.com/uploads/1/3/0/6/130621952/3474882.pdf
    • http://littlebookforbigdreams.com/uploads/1/3/0/9/130969795/f60a7e625becc8.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.