Malicious PDF — malware analysis report

Static analysis result for SHA-256 cec48b261f15e30e…

MALICIOUS

PDF

41.0 KB Created: 2020-04-16 01:37:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ad8dfd515c00db62674560ce39fac236 SHA-1: 9c88ff931496b1719b3a077f1495757b43335f20 SHA-256: cec48b261f15e30ebb70ba012953f5a8306cfa2be403ec1b9210fff4392d9145
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, a common tactic for SEO poisoning and redirecting users to malicious sites. One such link, 'http://blueshellservices.com/uploads/1/3/1/0/131071145/131071145.html#antivirus+kaspersky+free++full+version', is presented in a way that suggests it is a search result for antivirus software, likely a lure. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9978

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blueshellservices.com/uploads/1/3/1/0/131071145/131071145.html#antivirus+kaspersky+free++full+version
    • http://creamcitycollaborative.net/uploads/1/3/1/4/131406182/lawofijedufut-boliweji-tuxakukepafub-tusesagag.pdf
    • http://thuyhang89.com/uploads/1/3/0/7/130739633/1232979.pdf
    • http://pottereat.com/uploads/1/3/0/6/130639538/viziku.pdf
    • http://lwissdstudents.com/uploads/1/3/0/3/130379424/7593312.pdf
    • http://flicksi.com/uploads/1/3/0/7/130776810/9bfc946133826b0.pdf
    • http://lifelineinsurance.info/uploads/1/3/0/5/130540458/pites.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000077a3.bin
c382ff4fe24d5ba51c5be6e1e4b87b13a53ebc789f45d707a3058fccb8309f4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x77A3 9004 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.