Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf626382a9ae1e1f…

MALICIOUS

PDF

39.6 KB Created: 2020-03-31 01:57:25 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ba97fa766718ec759a4ff2767c21bb29 SHA-1: 282aef27b8c04b676ae57a32287621ce12aa7551 SHA-256: cf626382a9ae1e1fcb0df1fcebcab861355892f129d7f54be579016b65a6d1e6
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1566.002 Phishing: Spearphishing Link

The PDF file contains a large number of external links, many of which point to other PDF files hosted on similar domains. The document body contains a seemingly random string related to a microwave keypad, which is likely a lure to disguise the SEO spam or phishing nature of the links. The ML classifier strongly indicated maliciousness, supporting the interpretation of this as a malicious SEO spam or phishing document.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://iweargreatness.com/uploads/1/3/0/6/130620975/130620975.html#ge+microwave+keypad+shorted+message
    • http://alegendbooks.com/uploads/1/3/0/5/130590122/24154bf8.pdf
    • http://nonmemoire.com/uploads/1/3/0/7/130776363/8160439.pdf
    • http://masstrappers.net/uploads/1/3/0/7/130740524/7841453.pdf
    • http://abrasax.info/uploads/1/3/0/7/130738637/jogapovepol_zovolu_voginetito_gajarifabuvir.pdf
    • http://godshousechurchsa.com/uploads/1/3/0/2/130287538/0fe978411297ac.pdf
    • http://itsworkhappening.com/uploads/1/3/0/6/130620538/2249577.pdf
    • http://hunterlove.com/uploads/1/3/0/6/130605433/jozubesizup.pdf
    • http://advance-it.net/uploads/1/3/1/4/131452887/wudet.pdf
    • http://dragonbeautysupply.com/uploads/1/3/0/9/130969339/bametal_mikelurezox_tajifemodezevat_lejezamuxo.pdf
    • http://advancementadvisors.com/uploads/1/3/0/5/130543154/3007930.pdf
    • http://hjbmarketingandpr.com/uploads/1/3/0/7/130776738/38c1f2cd.pdf
    • http://jdhhydraulics.net/uploads/1/3/0/8/130813094/ddc41ddefedf2.pdf
    • http://acepluscontractors.com/uploads/1/3/0/9/130969594/xuzugak_pujilo.pdf
    • http://holetownapartment.com/uploads/1/3/0/8/130873996/zakumurami.pdf
    • http://canticonuevoep.com/uploads/1/3/0/7/130775392/1173312.pdf
    • http://pharmainsights.ie/uploads/1/3/0/4/130488399/3484704.pdf
    • http://renderme3d.net/uploads/1/3/0/5/130588796/e59e853f7.pdf
    • http://3010lbj.com/uploads/1/3/0/8/130814713/380d4f5b2bad.pdf
    • http://highlandchapel.com/uploads/1/3/0/5/130589331/240314.pdf
    • http://a2zinteriors.org/uploads/1/3/0/2/130288887/1216565.pdf
    • http://konsumit.com/uploads/1/3/0/8/130874217/f61113e.pdf
    • http://waspconsulting.services/uploads/1/3/0/2/130288444/febef.pdf
    • http://emilybbakes.com/uploads/1/3/0/7/130775046/dekuberiramanad.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070e8.bin
9df27b3a769159c7cd683b1f49f8f4874c648c645e9d8ff6a428a18e090454e3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70E8 8128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.