Malicious PDF — malware analysis report

Static analysis result for SHA-256 cd97aaed2b05b0b7…

MALICIOUS

PDF

23.6 KB Created: 2020-05-07 05:15:39 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: f9a1197532d3f01dc664850888d8acdf SHA-1: e3f764c62684d0d3622a6d0b9da308430a0082bf SHA-256: cd97aaed2b05b0b7156092d4e416cfa4c4b5c1e312a162a5785485cbf0a6f2bd
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO poisoning attack. One of the extracted URLs, http://vocallysoftware.com/uploads/1/3/0/9/130969449/130969449.html#java+jdk+11+zip, is also present in the document body. The ML_NYX_PDF_MALICIOUS heuristic further supports the malicious nature of this document.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9989

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vocallysoftware.com/uploads/1/3/0/9/130969449/130969449.html#java+jdk+11+zip
    • http://goodfellowspousesclub.org/uploads/1/3/0/4/130479513/1670867.pdf
    • http://volvalis.net/uploads/1/3/1/6/131637211/livefuxojitubuk.pdf
    • http://aviplan.net/uploads/1/3/0/3/130323315/484edae7.pdf
    • http://betheedutainer.com/uploads/1/3/0/2/130287482/8087122.pdf
    • http://samsainstitute.com/uploads/1/3/0/6/130604179/2953428.pdf
    • http://lisaderanekmd-for-medinacoroner.com/uploads/1/3/0/6/130621290/201fec5810192.pdf
    • http://saraenglephotography.com/uploads/1/3/1/0/131069968/mifebubokeripu_nifasawokuw_xivofenenu.pdf
    • http://wrestlingonfire.com/uploads/1/3/0/7/130776338/8f9284f.pdf
    • http://snawab.com/uploads/1/3/0/8/130813496/1863134.pdf
    • http://raverforhouse.org/uploads/1/3/1/0/131070305/dogomikozulun.pdf
    • http://eastendtrx.com/uploads/1/3/1/3/131379591/nodizawubijonitusi.pdf
    • http://fineaustralian.com/uploads/1/3/1/6/131606203/votepuwulerom-pulegori-potawe.pdf
    • http://thematstudionj.com/uploads/1/3/0/5/130588651/8f0ac9f7cd32a0.pdf
    • http://magwazaempire.net/uploads/1/3/1/4/131483343/pikabuvakuf_lotix.pdf
    • http://blackhoundstables.com/uploads/1/3/0/7/130738567/5386324.pdf
    • http://lupitapalacios.com/uploads/1/3/0/4/130483844/jivugabojugibunikaf.pdf
    • http://blackstallionvideography.com/uploads/1/3/0/2/130292148/jozejemuxulo-farizaduvani.pdf
    • http://vikingwarm.com/uploads/1/3/0/5/130539093/a4fe655b.pdf
    • http://sonofdragon.com/uploads/1/3/1/4/131453901/9482619.pdf
    • http://copperrose.net/uploads/1/3/0/9/130969407/3a5be30.pdf
    • http://boaing.com/uploads/1/3/1/3/131383694/xowez.pdf
    • http://digitalmortgagemasters.com/uploads/1/3/0/2/130291030/250b6e4247.pdf
    • http://shaktifestival.com/uploads/1/3/0/6/130604566/fokikujifexopoj.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.