Malicious PDF — malware analysis report

Static analysis result for SHA-256 daf4b462d6445a83…

MALICIOUS

PDF

43.2 KB Created: 2020-05-19 15:01:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a1ac5a38beaea0abfbb9cb10eb91be17 SHA-1: a3c5c9cdefb0bafad179b05145de482082c3a281 SHA-256: daf4b462d6445a83ce58fe96819de0fef29a86a2ea87133f6b57f0d8edadb805
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, also contains URLs. These links likely serve to direct users to malicious websites or to manipulate search engine rankings. The ML classifier also strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9903

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://perillianconsulting.com/uploads/1/3/0/3/130324072/130324072.html#capadocia+season+3+subtitles+free
    • http://topfoda.com/uploads/1/3/0/4/130477839/voredulofibixa.pdf
    • http://straitsbon.com/uploads/1/3/0/4/130436159/zadivexegu-jefixisikasukej-xajujelaxulovab.pdf
    • http://sophiesticated-travelstories.com/uploads/1/3/1/3/131398488/gilalunivojoko_wugogadif_rovimeva_vedew.pdf
    • http://manonincometax.com/uploads/1/3/0/7/130775220/3522808.pdf
    • http://peruknowledge.com/uploads/1/3/0/6/130620222/4707212.pdf
    • http://mynaturalplace.com/uploads/1/3/1/4/131414019/mavidotasuka-saresifin-jibixovikul-jepokekezivamo.pdf
    • http://bddance.fr/uploads/1/3/1/0/131070073/9976b7cd16.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d26.bin
a36eee06fef6ce219692c4ec918276ac99413e4fd1e3666e4031624f9289d620		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D26 1800 bytes
font_01_sfnt_off000065b3.bin
8b5fa0b9aee71b5553559de19265e6b25430e19c38eff8b2fc32a13f2e7fed8d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B3 11552 bytes
font_02_sfnt_off00008bdd.bin
028dbaa76d48ae99b02248bacea50134e27ed131f5dd39e25ac401de8961e19b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8BDD 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.