Malicious PDF — malware analysis report

Static analysis result for SHA-256 d3781ba2175f7c7a…

MALICIOUS

PDF

92.0 KB Created: 2020-04-24 20:27:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 04ee4f4d8433a8b97e6376965b372735 SHA-1: c2279336720e25287367443aa05acb899c41cf8e SHA-256: d3781ba2175f7c7a57a0ba7b078c5d7515f66d82cf83a87761aa27378fac9690
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The document body, though heavily obfuscated, contains text related to 'Spoken english course contents pdf', suggesting a lure to attract clicks. The presence of multiple PDF links and external URIs strongly indicates a malicious intent to drive traffic to potentially compromised or malicious domains.

Machine Learning

  • Nyx PDF Classifier malicious score 0.5725

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bonecleanerbbqsauce.com/uploads/1/3/1/3/131380915/131380915.html#spoken+english+course+contents+pdf
    • http://mahdiyaragoods.com/uploads/1/3/0/5/130550756/fabebapewefabo-gisedixovajajab-kixebeduxugig.pdf
    • http://allsolutionsconstruction.com/uploads/1/3/0/7/130776110/2439426.pdf
    • http://sheltre.com/uploads/1/3/0/7/130738785/dajake_pesaj_joxojunejala.pdf
    • http://jpfacilitiesmanagement.com/uploads/1/3/0/5/130542718/6f67ce6c1a7f.pdf
    • http://thefastshopp.com/uploads/1/3/1/0/131070054/wubizajagogusu.pdf
    • http://memorymonitoring.org/uploads/1/3/1/3/131384156/nozunedemunabu.pdf
    • http://piersongardenandlandscape.com/uploads/1/3/1/4/131437242/tojajojuni.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 6

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000d45c.bin
3eb1d856eb2958803d67066f3d944523808bb83b4aa11ca86240b1394fdb6ab4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD45C 9528 bytes
font_01_sfnt_off0000f87a.bin
523231aab849ad30ac9eb04698e16d17e62d487e8ee3d2971c25caba5bcbff8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF87A 1664 bytes
font_02_sfnt_off00010165.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10165 1388 bytes
font_03_sfnt_off00010903.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10903 16036 bytes
font_04_sfnt_off00011d6f.bin
043f89cdc56a6d687dbde9ca708df5d68a479f0504edd5c2f1c61766139dec50		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11D6F 10532 bytes
font_05_sfnt_off00013078.bin
cf21c1a46214eb2e281f8dd36ae6a752b736b7eced0121438b18e1025fff318a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13078 17984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.