Malicious PDF — malware analysis report

Static analysis result for SHA-256 e5360132367da421…

MALICIOUS

PDF

83.0 KB Created: 2020-06-01 06:14:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ad718eb79f0f02c50fe9f3ae4862bb4c SHA-1: d422c9fecc4ce0a3bb64852d88a0ed457b62724f SHA-256: e5360132367da42162e05fe755b232b63d6e6da7c309c54077258cc0a6a559a8
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many pointing to domains that appear to be part of a link farm. The heuristic 'PDF_SEO_LINK_FARM' specifically identifies this behavior, suggesting the document is designed to drive traffic to a network of sites. The ML classifier also strongly indicates maliciousness. No scripts were extracted, and the document body is heavily obfuscated, but the pattern of link generation is clear.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lmstigers.net/uploads/1/3/1/3/131380029/131380029.html#pippi+longstocking+song
    • http://tavcc-az.com/uploads/1/3/0/6/130621730/f30f66d.pdf
    • http://pro-pharma.org/uploads/1/3/1/4/131406412/wowuforutumifilobom.pdf
    • http://marine-ropes.net/uploads/1/3/0/5/130588199/kofojilun_libaxatu_paruzaxuta_ladekowifivin.pdf
    • http://privatklinikker.no/uploads/1/3/0/6/130639868/f4eebf.pdf
    • http://jesspray.com/uploads/1/3/1/4/131453144/f397f672a9.pdf
    • http://naturequeen.co.uk/uploads/1/3/0/6/130603688/72d0ca141fe5.pdf
    • https://fokafogamis.files.wordpress.com/2020/06/49675860413.pdf
    • https://dojobavoviz.files.wordpress.com/2020/05/75662731254.pdf
    • https://fitarevete.files.wordpress.com/2020/05/juxunab.pdf
    • https://kusulubir.files.wordpress.com/2020/05/20925396101.pdf
    • https://jilatuwim.files.wordpress.com/2020/06/gasekasaxamipidozefumev.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a9dc.bin
101c01e8f485dee26c5daeffebf974865a9cfc041cb07199ff0e350e019dede4		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA9DC 5992 bytes
font_01_sfnt_off0000be9d.bin
0990f92604e1fde9240139d87a97c4f4cc7267ef6ec05732a56b9b14cb96c919		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE9D 7416 bytes
font_02_sfnt_off0000d612.bin
dd774eec56b961267fc64d40b49b3fddbee39bfe03998d25bf8a1ee9e2356a61		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD612 7524 bytes
font_03_sfnt_off0000eab4.bin
03045d07d60fb8aad6318b63f782ac397c9addca9047b351bb57a277725e0ad7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEAB4 18344 bytes
font_04_sfnt_off00011eda.bin
6a36358c0ac6211a8d3f96e65cb2d18431076db5056f4f35d776fb1c18450ee1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11EDA 19224 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.