Malicious PDF — malware analysis report

Static analysis result for SHA-256 d390dd1201f4187b…

MALICIOUS

PDF

42.8 KB Created: 2020-03-22 01:55:14 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 03dce2cb39e6a7fe28f959fe6d8e065c SHA-1: d646650d35da5471af4d56c43a3c3b084fbaa803 SHA-256: d390dd1201f4187bdc461bd46eb1090189408567991ba672845b1baa286c9501
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numerically or generically named, indicative of a link farm or SEO spam tactic. The ML classifier strongly flagged this PDF as malicious. The primary attack pattern involves redirecting users through a network of seemingly unrelated domains, likely to host malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blockchainambassador.ca/uploads/1/3/0/2/130288520/130288520.html#trono+de+cristal+saga+sinopsis
    • http://geomaxsurveys.com/uploads/1/3/0/5/130546759/195c6876f54b6.pdf
    • http://madbundlesllc.com/uploads/1/3/0/6/130603907/lebumafanibarunibefu.pdf
    • http://www.theconductivebody.com/uploads/1/3/0/5/130589302/xefofefuxabap-likipafe-kelupe-kedixiwawud.pdf
    • http://farmersmarketdog.com/uploads/1/3/0/5/130588906/tevuboro.pdf
    • http://shangba-la.org/uploads/1/3/0/4/130435876/6555022.pdf
    • http://michigantalks.net/uploads/1/3/0/5/130589037/073dbff5f26b1e.pdf
    • http://professormichaelgreer.com/uploads/1/3/0/3/130323538/vudixasedexe-bewegimulebip.pdf
    • http://iuseelite.net/uploads/1/3/0/3/130324206/69e0fc.pdf
    • http://holypostapp.org/uploads/1/3/0/7/130776101/2932562.pdf
    • http://mailserver.apollotyresmanchester.co.uk/uploads/1/3/0/7/130739017/a995555ed5fb5e.pdf
    • http://lopacconvention.com/uploads/1/3/0/6/130639879/zosobebesorife_jedunaderi.pdf
    • http://azpoloassn.com/uploads/1/3/0/4/130483510/919356.pdf
    • http://webmail.oilsmart.net/uploads/1/3/0/5/130550736/72214c9904c0f3.pdf
    • http://lesliethorntonart.com/uploads/1/3/0/5/130540010/3464570.pdf
    • http://hawtwaxart.com/uploads/1/3/0/6/130639977/guzorus.pdf
    • http://orangecountyautobarn.com/uploads/1/3/0/2/130289158/zutukef.pdf
    • http://www.robertsfarmbooks.com/uploads/1/3/0/6/130639513/3cf1ee2882ab7.pdf
    • http://houstonveteranscounseling.org/uploads/1/3/0/8/130813765/6529594.pdf
    • http://rebekkagolde.com/uploads/1/3/0/2/130287311/jegujezisepanagogi.pdf
    • http://www.stupidtosay.com/uploads/1/3/0/6/130605010/5208093.pdf
    • http://ksdivinehealth.net/uploads/1/3/0/8/130813732/wodubine.pdf
    • http://vertriebsautomat.com/uploads/1/3/0/6/130621047/vewavit-zulokazeb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007bfd.bin
b7834ae0dccb7899e96fe476e60c68fb920e7396fbcc5991c312b1125e51e4e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7BFD 9244 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.