Malicious PDF — malware analysis report

Static analysis result for SHA-256 e10a52cd5a53a890…

MALICIOUS

PDF

30.4 KB Created: 2020-03-11 14:11:56 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 98c04095e250f180258f0240b993e7d7 SHA-1: 5fa042ec57cf5e649ddb5b871d837a520c388d1a SHA-256: e10a52cd5a53a890f1676a89dd68622601444c9986b4f3ca63c118e3dbdc7105
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, a common technique for SEO poisoning and directing users to malicious websites. The document body, though heavily obfuscated, contains URLs that are also present in the list of extracted URLs. The ML classifier strongly flagged this PDF as malicious, supporting the conclusion that it is designed to lead users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-73-250.mgwnet.com/uploads/1/3/0/4/130435641/130435641.html#am+i+color+blind+test+free
    • http://worldclasstitle.net/uploads/1/3/0/8/130813834/zibipiragigarejetipu.pdf
    • http://larkappella.com/uploads/1/3/0/3/130313323/96a1733.pdf
    • http://lidiabrito.com/uploads/1/3/0/8/130873841/3446987.pdf
    • http://www.yandino.org/uploads/1/3/0/9/130969976/lupepirozepuxokusa.pdf
    • http://adventureswithrocks.com/uploads/1/3/0/6/130639140/6079163.pdf
    • http://mta-sts.mx.edenliterary.com/uploads/1/3/0/2/130289448/8938832.pdf
    • http://juliemoselenartist.com/uploads/1/3/0/8/130874121/1467895.pdf
    • http://metakinkpodcast.com/uploads/1/3/0/5/130548039/428814d5246fd6.pdf
    • http://www.mhdtechcorp.com/uploads/1/3/0/6/130620842/fuvumerepudexa-gupawez.pdf
    • http://www.warriorkingmma.com/uploads/1/3/0/6/130620962/2826727.pdf
    • http://johacreationsandpublishing.com/uploads/1/3/0/4/130483302/wofunepos-zugubizasagoler-zetibaka.pdf
    • http://hostmaster.highflyerseducation.com/uploads/1/3/0/4/130476525/4985299.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005177.bin
fdff9543da8ad2980ac932ceeecf579fc168557a964e203168a60e0856ed43cc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5177 6824 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.