Malicious PDF — malware analysis report

Static analysis result for SHA-256 dcbad766f408bc29…

MALICIOUS

PDF

37.9 KB Created: 2020-04-05 13:23:18 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b07fca906a892805ca439537c2f1ad9f SHA-1: 075119ae5845a2ba44809517f0d4a80b076b4530 SHA-256: dcbad766f408bc292c8a0e35137491c01c65324b117780cc66d9de271e53b739
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to domains that appear to be part of a link farm, a common tactic for SEO manipulation and distributing malicious content. The ML classifier strongly indicated maliciousness. The document body itself is heavily obfuscated but contains references to the URLs, suggesting the primary purpose is to drive traffic to these external sites, likely for further exploitation or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wildchild.dance/uploads/1/3/0/4/130488700/130488700.html#agentes+de+socializacion+familia+pdf
    • http://madelynbloom.com/uploads/1/3/0/7/130739315/5420883.pdf
    • http://fishnyak.com/uploads/1/3/0/2/130288002/1566150e8a3.pdf
    • http://sjhumangeo.com/uploads/1/3/0/5/130590308/2834598.pdf
    • http://wakelandmanorinc.com/uploads/1/3/0/6/130639685/papefesesodub.pdf
    • http://all-enproducts.com/uploads/1/3/1/0/131071113/kufiz-jilogiwikokejis.pdf
    • http://tmpropertysolutions.com/uploads/1/3/1/3/131383630/2225562.pdf
    • http://aleonor1to1.com/uploads/1/3/0/7/130740025/rogudu.pdf
    • http://jbheslip.com/uploads/1/3/0/4/130477702/sefolikom-zuxobiloludipa-tikikuboxap.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006177.bin
b095009e1aa7b679086a2dd093949a1e2bfdfa179c83d9e64a20210f199a406d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6177 1544 bytes
font_01_sfnt_off000068e7.bin
911feec232dce94b5c71ff7ccbba0eed3f555b15d6abf67112185a7370376e86		 pdf-font-stream PDF embedded font (sfnt) at offset 0x68E7 8888 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.