Malicious PDF — malware analysis report

Static analysis result for SHA-256 d77115750dfd82bd…

MALICIOUS

PDF

47.6 KB Created: 2020-04-01 17:57:09 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9784d4bf5af1734ff5ded4def9675e6f SHA-1: fbbfac8a079eeb4c2070c521e26492dd18172aa4 SHA-256: d77115750dfd82bddcb99920cdcd140cfc1c0014c1b4dca9d4058dda993a5c16
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links to other PDF files hosted on various domains, indicative of a link farm or SEO poisoning tactic. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains references to 'Buell 1125r torque specs' and the wkhtmltopdf generator, suggesting a lure document designed to drive traffic to these linked resources.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cypressenergyservices.com/uploads/1/3/1/4/131408772/131408772.html#buell+1125r+torque+specs
    • http://themagazine.store/uploads/1/3/0/5/130541208/gobovukiwotezix_mababuxodazi.pdf
    • http://willowswonder.com/uploads/1/3/1/4/131406804/6235938.pdf
    • http://minibaraddict.com/uploads/1/3/1/4/131437875/2ac3f2cc.pdf
    • http://cosmeticglue.com/uploads/1/3/0/6/130621243/vusukebaw.pdf
    • http://vizualzmt.com/uploads/1/3/0/6/130604940/lexifikojiru.pdf
    • http://divineearthmedicinals.com/uploads/1/3/0/4/130483801/vubizowuzuv_vuwuzaro_teregebu.pdf
    • http://chevychaseinn.com/uploads/1/3/0/4/130490643/7a24dbaad015.pdf
    • http://aliveaftercancer.com/uploads/1/3/0/7/130776309/wisarelunatuvozageg.pdf
    • http://eltapancorusticfurniture.com/uploads/1/3/1/4/131438464/9b142dd.pdf
    • http://doranyprzyloz.com/uploads/1/3/0/2/130287289/sobasoga_dekiwalube_misabidip_gebov.pdf
    • http://cfoondemandcr.com/uploads/1/3/0/2/130271068/e2a8510e20.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e44.bin
8338973409d6171b8a2506673309aaec7a9830c3091e54bac5390421b185eeab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E44 9212 bytes
font_01_sfnt_off00009152.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9152 2600 bytes
font_02_sfnt_off00009a7b.bin
b080e6aa9682ff87567a230b404ab00780bafcfd3ba11e3f536b788ca6e08ef5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A7B 16060 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.