Malicious PDF — malware analysis report

Static analysis result for SHA-256 d750b2565f8baac6…

MALICIOUS

PDF

83.2 KB Created: 2020-04-01 20:05:02 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a28dc6331e600a99f29975898e3b6804 SHA-1: b8e4b871ea8857732ff6775a4c9ee49da35e87e7 SHA-256: d750b2565f8baac60372fafacdc4def3069368069c2280b134a28805f0c1627b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to other PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The ML classifier also flagged this PDF as malicious with high confidence. The primary attack pattern appears to be a link farm designed to direct users to potentially malicious content hosted elsewhere, rather than containing a direct exploit within this file.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bahamasaugustllc.com/uploads/1/3/0/6/130620233/130620233.html#%C2%BFcu%C3%A1l+es+el+origen+del+surrealismo
    • http://coach-mediation.de/uploads/1/3/0/6/130604515/8b470ce1.pdf
    • http://latriboo.com/uploads/1/3/0/2/130291544/a87e4467e3e.pdf
    • http://jeronashford.com/uploads/1/3/0/2/130272587/matobofasafem-wukabawo.pdf
    • http://cuisineofangels.com/uploads/1/3/0/7/130775634/7090529a2a3.pdf
    • http://mycommentsandthoughts.com/uploads/1/3/0/3/130379317/dapivugefesox.pdf
    • http://thriftposition.org/uploads/1/3/0/4/130476519/861e4d.pdf
    • http://spa139.com/uploads/1/3/0/4/130483279/kagabigezokelubojo.pdf
    • http://maxinspection.com/uploads/1/3/0/5/130588564/cec69ef88.pdf
    • http://realproductionreviews.com/uploads/1/3/0/6/130605292/ac78769.pdf
    • http://thelowvisionstore.org/uploads/1/3/0/6/130603858/3251519.pdf
    • http://stankarwoski.com/uploads/1/3/0/8/130873864/gikewapurezizibav.pdf
    • http://bullfrogcreek.org/uploads/1/3/0/2/130289284/jesememuzemajat.pdf
    • http://johnhenryins.com/uploads/1/3/1/0/131070619/3922372.pdf
    • http://shonerenee.com/uploads/1/3/0/8/130813117/nigirozuwep-tusufeza-xagigo-vepenopoge.pdf
    • http://junarts.com/uploads/1/3/0/6/130620916/153121.pdf
    • http://saldanhahealthcentre.com/uploads/1/3/0/9/130969710/683b42a80a1dc.pdf
    • http://triotake3.nl/uploads/1/3/0/7/130739509/loduwavab.pdf
    • http://chaddsfordpawinery.com/uploads/1/3/0/5/130588954/sofir-lusuvesiwawujix-maluxorev.pdf
    • http://glass-slipper-engagements.com/uploads/1/3/0/7/130775295/serokerazixo.pdf
    • http://thecasketcompany.com/uploads/1/3/0/2/130289354/dujisidurifal.pdf
    • http://monsieurpl.com/uploads/1/3/0/6/130639426/fibowi-xupix-vutofivizanimun-kuzire.pdf
    • http://apfexcellence.com/uploads/1/3/0/7/130739949/9091899.pdf
    • http://grsecondsundays.org/uploads/1/3/0/2/130288348/puzebagebowid-nuzolu-risolaxi-midovebajazeful.pdf
    • http://debruleclinic.com/uploads/1/3/0/4/130483811/3a2ba11f08c9.pdf
    • http://cowichanopenlearning.com/uploads/1/3/0/5/130588920/xivebobopafokej-lufaponafu-wipepum.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000f70e.bin
750ddf87bf0dae17dbde1549557080c1ebced302c7640ec03912b72c1013a1fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF70E 11164 bytes
font_01_sfnt_off00011cbb.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11CBB 2652 bytes
font_02_sfnt_off00012622.bin
b4eaba1313c2ae02e0840532e8df49817f4492e706e7fc7006fa435ca033da2a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12622 16208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.