Malicious PDF — malware analysis report

Static analysis result for SHA-256 e2b55cf6efff01fc…

MALICIOUS

PDF

38.8 KB Created: 2020-05-21 19:23:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9fc670cc0821c8b9fbde67092434d3ed SHA-1: e82923ee2eb111aa6b2251e77027d96a45b799fd SHA-256: e2b55cf6efff01fcf7f70ead25adf59afb52220d2d5fdd9ecb2edbdab4f4da61
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified as a PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, contains references to 'grade 1 reading comprehension' and numerous URLs. This suggests the document is part of a link farm or SEO manipulation scheme, potentially leading to malicious content or phishing sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://allwestindustries.com/uploads/1/3/0/6/130620604/130620604.html#grade+1+reading+comprehension
    • http://zianyalemus.com/uploads/1/3/1/8/131856495/099bce1aac1.pdf
    • http://dandldistributing.com/uploads/1/3/0/6/130604986/3e6946ce55c6b3.pdf
    • http://moses-balan.com/uploads/1/3/0/4/130491253/giwaj.pdf
    • http://rainbowhouseshaveicesmoothies.com/uploads/1/3/0/2/130270845/6642877.pdf
    • http://divinespirithealingcenter.org/uploads/1/3/0/5/130543133/virupizebusabadu.pdf
    • http://plantseverywhere.com/uploads/1/3/0/6/130621337/vufabebavitewojos.pdf
    • http://elysianwhitetails.net/uploads/1/3/0/3/130324206/4102464.pdf
    • http://groundedearthyoga.net/uploads/1/3/1/0/131070753/3805757.pdf
    • http://kingdomleadershipsummit.org/uploads/1/3/0/7/130775679/zomesomurelagi-kojufafevev-jesuriki.pdf
    • http://helix-intraocular.com/uploads/1/3/1/1/131164132/gipilitoteb.pdf
    • http://bluevalleylops.com/uploads/1/3/0/5/130590339/c0c897c4b87d52f.pdf
    • http://casacutei.eu/uploads/1/3/0/6/130604048/3084843.pdf
    • http://sristiorg.com/uploads/1/3/1/0/131069910/gexizinogejilaz.pdf
    • http://allfireduppizza.net/uploads/1/3/1/4/131438819/367e782e8293d6.pdf
    • http://dktransportllc.com/uploads/1/3/0/5/130589288/zabevagejinuto.pdf
    • http://fortheloveofafrica.com/uploads/1/3/0/6/130604918/sawogifurogugukaw.pdf
    • http://trikonafitness.com/uploads/1/3/0/4/130477131/sezesarojome.pdf
    • http://keepthechangeentertainment.com/uploads/1/3/0/4/130436242/weloki.pdf
    • http://woodnblock.com/uploads/1/3/0/5/130588295/sujiruko.pdf
    • http://garyfowliemedia.com/uploads/1/3/0/9/130969631/mowum.pdf
    • http://ktaconstructionmaintenance.com/uploads/1/3/1/4/131406669/letege.pdf
    • http://sonny5ideup.com/uploads/1/3/0/7/130776262/51dbc1883aa2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006c53.bin
60cc5bd85b7097ed2d0b006b6ff2da993a3ecde2f766f68367c4f777626230ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C53 10332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.