Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9607ff656c774ab…

MALICIOUS

PDF

35.1 KB Created: 2020-06-07 17:52:01 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: bc93a212e5eae78a2bee9d429c873919 SHA-1: 7b45ef5afcf2ca32ee86ce7b1cefdbead9b505be SHA-256: d9607ff656c774abe4d26ce4ba18f17456a238c3da009a2c6fb40accce84c157
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, many of which are hosted on suspicious domains and are part of a link farm. The document body, though partially obfuscated, contains a URL that mimics a video link, suggesting a social engineering lure. The ML classifier also strongly indicated maliciousness. The primary attack pattern involves redirecting users to potentially malicious websites for further exploitation.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-77-64.mgwnet.com/uploads/1/3/1/8/131856695/131856695.html#video+princesse+malgre+elle
    • http://auservicegroup.com/uploads/1/3/0/8/130873952/kameroxem.pdf
    • http://mail2.hauntedhousetour.com/uploads/1/3/0/2/130289214/sutafumoro.pdf
    • http://smecheriepesistem.net/uploads/1/3/1/3/131382113/0ff8efdd76a9.pdf
    • http://ffanimalfoundation.org/uploads/1/3/0/8/130813781/dcdd239710e7.pdf
    • http://webmail.bold-essentials.com/uploads/1/3/0/5/130541656/tedetafejufupa_tabupobodude.pdf
    • http://lockpharmaceuticalconsulting.com/uploads/1/3/1/3/131398385/365934.pdf
    • http://mta-sts.email.strawsermusicstudio.com/uploads/1/3/0/6/130621838/puratemabiva.pdf
    • https://lajosesofi.files.wordpress.com/2020/06/38988121154.pdf
    • https://selawaj.files.wordpress.com/2020/06/gurejopesezotejijoxaxebu.pdf
    • https://bekodakixif.files.wordpress.com/2020/06/javimekobufegupa.pdf
    • https://goxapexuti.files.wordpress.com/2020/06/36495140256.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057b0.bin
86dc53e33ed0357b50f1c97d413f785673c16d6f3b020fdb14a04660e9b0ea9c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57B0 12536 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.