Malicious PDF — malware analysis report

Static analysis result for SHA-256 e088c20329eb42c5…

MALICIOUS

PDF

37.9 KB Created: 2020-04-11 02:53:59 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bdf53337c3a1fc12f15b386afbda694b SHA-1: 3e7103738ecb8a67add7409238ff77afcc801cb7 SHA-256: e088c20329eb42c5d60fc0558efcab1c43f5b6fd73c084b55318b4132d1c37c7
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links pointing to other PDF files hosted on various domains, indicative of a link farm. The ML classifier also flagged this PDF as malicious with high confidence. The presence of these links suggests an attempt to direct users to download further content, likely malicious, under the guise of providing software or information.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9985

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-78-29.mgwnet.com/uploads/1/3/0/7/130740414/130740414.html#ppsspp+windows+download
    • http://foreignapparel.shop/uploads/1/3/1/4/131408984/xibope_rupemexeliju_muzixe.pdf
    • http://tazzykaze.com/uploads/1/3/0/7/130740497/serarofuvu.pdf
    • http://gertisglutenfreedom.com/uploads/1/3/0/6/130639854/8be7ef84a95b.pdf
    • http://priorjet.com/uploads/1/3/1/4/131406381/wosit_vorawaxoboroles_vawuzeropuluw.pdf
    • http://notalright.org/uploads/1/3/0/5/130588556/duwokowekoso_xaneba_zozumoxof.pdf
    • http://booksbitchesandbeyond.com/uploads/1/3/0/7/130775182/9491754.pdf
    • http://knoxresourcesllc.com/uploads/1/3/0/5/130551251/8c8a7784dd18.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062c5.bin
c6f0d235a67cf3c543fb69d93973da3ec189b6a5d56d519867f29849ddd6eca4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62C5 7972 bytes
font_01_sfnt_off000081d3.bin
bb2f140aec3b6c16e89961f7dbef9bb8e461895b35579bd897f8c94f2a2dfeff		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81D3 2140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.