Malicious PDF — malware analysis report

Static analysis result for SHA-256 c8a0d399b726fab7…

MALICIOUS

PDF

40.6 KB Created: 2020-04-12 16:51:19 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 05014b31d6818ed6a6f64da5f6d5567d SHA-1: 3dad7888a383f7b3eb0893fb09c392e8d0ab0c25 SHA-256: c8a0d399b726fab7e483a910430a14dceecef91d33a85c59447b7b2ea7162ff4
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body text, though partially corrupted, includes a URL that matches one of the extracted links. This suggests the primary purpose is to redirect users to a network of linked content, likely for SEO manipulation or to serve as a distribution point for further malicious activities.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://whyagileteamsfail.com/uploads/1/3/0/4/130488754/130488754.html#kanda+sasti+kavasam+mp3+song+free+download
    • http://sweatandsparklebox.com/uploads/1/3/1/4/131407494/6023971.pdf
    • http://sapphiremj.com/uploads/1/3/0/8/130874429/semeforupeguge.pdf
    • http://luxcheveux.co/uploads/1/3/1/4/131438761/540b8df7.pdf
    • http://taraxhouston.com/uploads/1/3/1/4/131438676/zazukej-jodoverez.pdf
    • http://completerenovations.net/uploads/1/3/0/6/130621200/1231839.pdf
    • http://thepurestseed.com/uploads/1/3/0/5/130550973/7a7a1d0bf1658.pdf
    • http://austinintegrativepsychiatrist.com/uploads/1/3/1/1/131164210/957722.pdf
    • http://dna-testi.net/uploads/1/3/0/2/130289218/12aa7044e22.pdf
    • http://jjrentalcarshawaii.com/uploads/1/3/0/5/130547150/e00d7d5da4e738.pdf
    • http://jacobsonbookkeepingsolutions.com/uploads/1/3/0/3/130379638/0ab48239f400a4.pdf
    • http://darvasbrasil.online/uploads/1/3/0/6/130604826/208ed5be146b20.pdf
    • http://captainronscozumelboatcharters.com/uploads/1/3/1/3/131380836/da41f1e77e2a9b.pdf
    • http://thesockingdead.com/uploads/1/3/0/5/130589243/mefon.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f13.bin
e4fdb3decd34c4318cf5eb1b1fd0e9e7e73bd16745d516b122cc32d5c107625a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F13 8432 bytes
font_01_sfnt_off000074e1.bin
64445d079a02a31a6f9456ef338a331d4fcb7d41bfa85fc8a86e1b90fdb531a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74E1 8772 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.