Malicious PDF — malware analysis report

Static analysis result for SHA-256 d9a5f001f20862a9…

MALICIOUS

PDF

41.1 KB Created: 2020-03-29 05:27:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a06af6fe85ccc1ebd9cab79485716045 SHA-1: deaf77332ced885f028e00828fd9e7080cd375b7 SHA-256: d9a5f001f20862a95da3c5e3787618ff1e1aa960da0cfa6a3db99ae94850f6d9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or distribution mechanism. The document body presents itself as a manual, likely a lure to entice users to click on the embedded links. The ML classifier also strongly indicated maliciousness. No scripts were extracted, limiting the analysis of direct payload execution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://asociacionperiodistaspr.org/uploads/1/3/0/5/130543784/130543784.html#korg+electribe+2+sampler+bedienungsanleitung+deutsch
    • http://kevinmcdonaldart.com/uploads/1/3/0/6/130620792/8141977.pdf
    • http://mspokrantsband.ca/uploads/1/3/0/5/130550891/a0b05.pdf
    • http://ariastudios.net/uploads/1/3/0/6/130639822/9198521.pdf
    • http://alloneocean.net/uploads/1/3/0/7/130776872/14537.pdf
    • http://claycountyedc.com/uploads/1/3/0/6/130621032/11da66055cd9c8.pdf
    • http://mobileadmission.com/uploads/1/3/0/7/130775619/vederen.pdf
    • http://wealthyeffort.com/uploads/1/3/0/3/130323515/a220512e.pdf
    • http://plrpapers.com/uploads/1/3/0/5/130547150/jipanu.pdf
    • http://jrpromotions13.com/uploads/1/3/0/5/130588847/3311992.pdf
    • http://www.resinpendantshop.com/uploads/1/3/0/7/130739401/xujise.pdf
    • http://www.sacjskitchener.com/uploads/1/3/0/6/130639177/zarada_pisedoriti_taweb_tuvudifavamufex.pdf
    • http://exhibition-panel-hire.com/uploads/1/3/0/5/130540504/cee4cea2705.pdf
    • http://ucaninstall.net/uploads/1/3/0/9/130969249/9be9432de1.pdf
    • http://caseyrealty.info/uploads/1/3/0/5/130544070/9469246.pdf
    • http://www.annaelesuericette.com/uploads/1/3/0/7/130775166/teses.pdf
    • http://flowercitymushrooms.com/uploads/1/3/0/5/130539202/gokug_larazeg.pdf
    • http://grondalstak.se/uploads/1/3/0/7/130775572/a32d6e64.pdf
    • http://nwiinc.net/uploads/1/3/0/7/130776754/b66c9.pdf
    • http://arpi.ca/uploads/1/3/0/7/130738798/fad901e.pdf
    • http://drterris.com.au/uploads/1/3/0/6/130640015/raguteze_vefemonabose_dirofusoni.pdf
    • http://tmitchellportfolio.com/uploads/1/3/0/9/130969931/gedunilozoweka-tukazijeb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007962.bin
1eb06ca2418585903862c3bc93010ce7a54c99803f7098958422e786313228b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7962 7352 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.