Malicious PDF — malware analysis report

Static analysis result for SHA-256 d05fc0476a345ff9…

MALICIOUS

PDF

37.2 KB Created: 2020-04-07 13:02:04 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a5ced4009889e8706ce00f0cdb9763f4 SHA-1: 70d0dc6698092faa011bd284a890cdffd5f9778d SHA-256: d05fc0476a345ff9f999c8330287a1493209534fbe5e2a71af4f06b7d0e50726
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm designed to manipulate search engine results or host malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine the exact payload, but the primary attack vector is the redirection via these numerous URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shiying-cheng.com/uploads/1/3/0/6/130621301/130621301.html#filosofia+definicion+segun+platon
    • http://the-urology-clinic.com/uploads/1/3/0/5/130590431/gigujavolumitu-rurevusevu-mokirutad-zipevonu.pdf
    • http://madeinmendocino.net/uploads/1/3/0/4/130483238/8118707.pdf
    • http://emailtoolz.com/uploads/1/3/0/7/130775674/4916088.pdf
    • http://rivercityenv.com/uploads/1/3/0/8/130813577/lixepasuxakasuwi.pdf
    • http://jessespringsclothing.com/uploads/1/3/1/4/131453284/3669818.pdf
    • http://izapped.com/uploads/1/3/0/4/130476410/9065381.pdf
    • http://grocerybasketdover.com/uploads/1/3/0/2/130272364/3552982.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000068a8.bin
7460b1ad318a93040c51616ae1bdc22979f84b5705c3d8a978ceb5c626189561		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68A8 8224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.