Malicious PDF — malware analysis report

Static analysis result for SHA-256 d6b6341696203769…

MALICIOUS

PDF

43.3 KB Created: 2018-11-14 08:19:09 +03:00 Authoring application: FPDF 1.53
MD5: 26dae2158d63f27d43799d93964d0406 SHA-1: f58d5bc994e7b660c8e577fdb01ca41083a91b74 SHA-256: d6b6341696203769248656e468df441d99b773dccc08ae28f8488f97a4e6b449
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded links to external PDF files, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier also flagged this PDF as malicious with high confidence. The primary attack pattern appears to be a link farm designed to manipulate search engine results or distribute further malicious content, leveraging the domain www.gorillawalker.com for hosting.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9171

Heuristics 2

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gorillawalker.com/standards-for-the-21st-century-learner-in-action.pdf
    • http://www.gorillawalker.com/center-stage-1-express-yourself-in-english-student-book.pdf
    • http://www.gorillawalker.com/journal-of-chemical-physics-vol-44-no-2-15-january.pdf
    • http://www.gorillawalker.com/alfred-the-christmas-gig-book-volume-1-brass-quintet-1st.pdf
    • http://www.gorillawalker.com/a-summary-of-biblical-antiquities-for-the-use-of-schools.pdf
    • http://www.gorillawalker.com/the-prayer-of-jabez-breaking-through-to-the-blessed-life.pdf
    • http://www.gorillawalker.com/the-art-of-botanical-drawing.pdf
    • http://www.gorillawalker.com/evidential-weight-and-legal-admissibility-of-information-stored-electronically-code.pdf
    • http://www.gorillawalker.com/with-nails-picador-classic.pdf
    • http://www.gorillawalker.com/learning-photoshop-cs6-with-100-practical-excercises-learning-with-100.pdf
    • http://www.gorillawalker.com/ortograf-a-f-cil-1-manuales-spanish-edition.pdf
    • http://www.gorillawalker.com/application-of-nonlinear-systems-in-nanomechanics-and-nanofluids-analytical-methods.pdf
    • http://www.gorillawalker.com/easy-to-understand-bookkeeping.pdf
    • http://www.gorillawalker.com/digital-broadcasting-iee-telecommunications-series-34.pdf
    • http://www.gorillawalker.com/fair-play-twelve-women-speak-conversations-with-canadian-playwrights.pdf
    • http://www.gorillawalker.com/black-widows-spiders-discovery-library.pdf
    • http://www.gorillawalker.com/the-process-edge-creating-value-where-it-counts.pdf
    • http://www.gorillawalker.com/in-my-father-s-house-the-years-before-the-hiding.pdf
    • http://www.gorillawalker.com/modern-interest-rate-theory.pdf
    • http://www.gorillawalker.com/early-reading-instruction-what-science-really-tells-us-about-how.pdf
    • http://www.gorillawalker.com/the-teachings-of-ptahhotep-the-oldest-book-in-the-world.pdf
    • http://www.gorillawalker.com/oracle-essentials-oracle-database-12c-kindle-edition.pdf
    • http://www.gorillawalker.com/the-improbable-adventures-of-sherlock-holmes.pdf
    • http://www.gorillawalker.com/1936-the-spanish-revolution-spanish-and-english-edition.pdf
    • http://www.gorillawalker.com/the-art-of-god-of-war-iii-the-art-of.pdf
    • http://www.gorillawalker.com/publishing-your-medical-research-paper-what-they-don-t-teach.pdf
    • http://www.gorillawalker.com/san-jose-street-map.pdf
    • http://www.gorillawalker.com/first-aid-for-a-wounded-marriage.pdf
    • http://www.gorillawalker.com/oddball-illinois-a-guide-to-450-really-strange-places-oddball.pdf
    • http://www.gorillawalker.com/how-to-do-a-handstand-from-the-basic-exercises-to.pdf
    • http://www.gorillawalker.com/using-multisim-digital-electronics.pdf
    • http://www.gorillawalker.com/neighing-with-fire-a-mystery-colleen-mccabe-series.pdf
    • http://www.gorillawalker.com/slavery-and-the-making-of-america.pdf
    • http://www.gorillawalker.com/food-and-drink-service-levels-1-and-2.pdf
    • http://www.gorillawalker.com/state-issues-in-higher-education-a-bibliography-aascu-reports.pdf
    • http://www.gorillawalker.com/the-forging-of-bureaucratic-autonomy-reputations-networks-and-policy-innovation.pdf
    • http://www.gorillawalker.com/scaleup-and-design-of-industrial-mixing-processes.pdf
    • http://www.gorillawalker.com/ana-frank-la-biografia-grafica-the-graphic-biography-spanish-edition.pdf
    • http://www.gorillawalker.com/rock-structure-kindle-edition.pdf
    • http://www.gorillawalker.com/cultural-diversity-in-organizations-theory-research-and-practice.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_000_off00000209.bin
6c391a881000ffd93a5507818d027abfc07ac39e972ffd65f8b28de609456da0		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x209 14603 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.