Malicious PDF — malware analysis report

Static analysis result for SHA-256 cfcb9f6ea3f22484…

MALICIOUS

PDF

43.8 KB Created: 2020-03-13 04:54:16 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c43fc3c6fe6443cb1551e233484e99d0 SHA-1: a97bb94abf0a4950fb16d7a1c3af33d0f335ce74 SHA-256: cfcb9f6ea3f22484b37ccb54a3fdab83ae92178e12fb35a7af93769b35cb71e9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier also strongly flagged this PDF as malicious. The document body contains text that appears to be a lure, referencing 'Agile principles patterns and practices in c', which is likely intended to disguise the malicious nature of the embedded links. The primary attack pattern involves directing users to a network of linked domains, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wangshangyingqian.br3h.com/uploads/1/3/0/7/130775730/130775730.html#agile+principles+patterns+and+practices+in+c
    • http://kybowenart.com/uploads/1/3/0/7/130739505/3653580.pdf
    • http://carmel-valley-homes-in-palmilla.com/uploads/1/3/0/7/130739535/xonamuz_wimopade_bitafetesukadu.pdf
    • http://kamikadesigns.com/uploads/1/3/0/4/130489051/namapuwatoxuta-tuxenakodezo.pdf
    • http://preshilmyparts.com/uploads/1/3/0/4/130488850/xineluv-ditinawitewigur-gudikafukap-rixitu.pdf
    • http://camalitv.info/uploads/1/3/0/4/130476427/6384178.pdf
    • http://www.ilmedioevoincucina.com/uploads/1/3/0/6/130621788/lazibatofes.pdf
    • http://handmadecandlesandsoaps.com/uploads/1/3/0/5/130550794/1169741.pdf
    • http://smallupsimpledown.com/uploads/1/3/0/6/130621582/b09e2.pdf
    • http://bamfieldmercantile.com/uploads/1/3/0/7/130739265/7013513.pdf
    • http://www.tierconsultingfirm.com/uploads/1/3/0/3/130379711/vodukep_xufafudavupu_viferul.pdf
    • http://www.freebefore11.com/uploads/1/3/0/2/130289542/4627777.pdf
    • http://mortargroutepoxy.com/uploads/1/3/0/7/130739579/fe8a1d1c.pdf
    • http://rissmusicschool.com/uploads/1/3/0/7/130738676/pemabunijopaxaborika.pdf
    • http://loreelees.net/uploads/1/3/0/3/130379141/e4ab884a75b824f.pdf
    • http://fixersinthealgarve.com/uploads/1/3/0/6/130639862/4094813.pdf
    • http://alchemy-unlimited.com/uploads/1/3/0/9/130969176/6294939.pdf
    • http://iihl-iilh.net/uploads/1/3/0/4/130490155/dd37df92506f78.pdf
    • http://gocustomstamps.com/uploads/1/3/0/7/130776105/6ba4261b.pdf
    • http://www.themarobishop.com/uploads/1/3/0/7/130775466/mojimu.pdf
    • http://madisonvillemealprep.com/uploads/1/3/0/2/130289618/653831.pdf
    • http://evabuxeda.com/uploads/1/3/0/7/130776363/90ed7618.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000081c9.bin
4fbff6e61d69149b682ca3bf32234752d8cf43439cb315872bdb25301c0ce648		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81C9 8220 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.