Malicious PDF — malware analysis report

Static analysis result for SHA-256 e55aa6ba7ddce65c…

MALICIOUS

PDF

73.2 KB Created: 2020-04-22 17:19:56 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: aaaddee7a1c97f4a528da41af3ef0781 SHA-1: 362b8e55f1dc03cc44031183ac34bc19e61f4b91 SHA-256: e55aa6ba7ddce65c456a4d2efd5da8e5326815ecbfe64318bd832366694efcfd
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains a large number of external links, many of which point to similarly structured URLs on different domains. This pattern is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted, limiting the analysis of direct payload execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://keatingphysicaltherapy.net/uploads/1/3/1/1/131164266/131164266.html#sheets+pet+clinic+nc
    • http://reviewsbystudents.com/uploads/1/3/0/6/130605238/4747058.pdf
    • http://whiteculture.net/uploads/1/3/1/3/131383763/lononik.pdf
    • http://franksecen.com/uploads/1/3/0/7/130740242/bezeba-fevejuf.pdf
    • http://hshair.net/uploads/1/3/0/3/130323293/9784648.pdf
    • http://craftcores.com/uploads/1/3/0/6/130639906/sekavipotizefuzi.pdf
    • http://stoneandsageapothecary.com/uploads/1/3/0/2/130289305/xetibuti.pdf
    • http://painrecovery.coach/uploads/1/3/1/4/131483110/2364527.pdf
    • http://nodovgroup.com/uploads/1/3/0/6/130604169/ridugorojize-ludoziv.pdf
    • http://aryanbhasin.com/uploads/1/3/0/5/130542982/mefexa.pdf
    • http://r3rep.net/uploads/1/3/0/2/130287893/8737922.pdf
    • http://r3rep.net/upl
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000922b.bin
0b5e6ab6ccc5392c140ffe9cf945a20da04ec592b42dfecdf941f5b9749a1a6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x922B 6592 bytes
font_01_sfnt_off0000a26c.bin
9bd9339ef6951ee5f7016b62aa67f3af91eec886dc0c531a730141eb4ac4e8f2		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA26C 9448 bytes
font_02_sfnt_off0000c616.bin
ea1f6e48ddc2f0c73ab1adb9f53444edc4834e1d675de0e961ffaae9b5b728da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC616 3024 bytes
font_03_sfnt_off0000d0a9.bin
203465c4fb654f13f40a186343260fc1b464335beb7bee92016baf81dac72b2c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD0A9 18560 bytes
font_04_sfnt_off0000f9e3.bin
eff1fe8301fa1f7000a8d7453dde2e06d5ceaa4a9a1dc00860a108d905077883		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF9E3 19396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.