Malicious PDF — malware analysis report

Static analysis result for SHA-256 e6ec485f10ad80ea…

MALICIOUS

PDF

101.6 KB Created: 2020-11-08 11:54:09 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 32ab363adf0c85750b043352a73c652f SHA-1: 24b665f33c04e8fbbeac07363b134a1d6420c014 SHA-256: e6ec485f10ad80ea797f454cb68a7902d9c996ee0c1b17f51d35cda0584029c4
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to Weebly-hosted PDFs, suggesting a link farm or SEO manipulation tactic. One of the embedded URLs, 'https://traffking.ru/aws?keyword=battle+of+the+books+alaska+2019', is directly presented in the document body, indicating a potential lure to a malicious or compromised website. The ML classifier also flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9662

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffking.ru/aws?keyword=battle+of+the+books+alaska+2019
    • https://vamewufu.weebly.com/uploads/1/3/4/3/134317042/4738192.pdf
    • https://xegiwisupanax.weebly.com/uploads/1/3/4/3/134367095/5e952866.pdf
    • https://kuzaloxamuw.weebly.com/uploads/1/3/1/4/131406684/4e3625c.pdf
    • https://repugonajipivup.weebly.com/uploads/1/3/0/8/130814926/7222755.pdf
    • https://gikotibosad.weebly.com/uploads/1/3/4/3/134332820/jelezozosagabu.pdf
    • https://rojusonevupa.weebly.com/uploads/1/3/0/8/130814232/279793.pdf
    • https://noxazifegem.weebly.com/uploads/1/3/4/5/134596672/wagotomazazuzukaxe.pdf
    • https://wajiresejepo.weebly.com/uploads/1/3/0/7/130774962/1106640.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/8baddb1a-0580-475d-96f6-7b50865fe686/vifufipovawakode.pdf
    • https://s3.amazonaws.com/resixexi/bushido_el_camino_del_guerrero_libro.pdf
    • https://s3.amazonaws.com/bisegilupuf/12356207606.pdf
    • http://dejavu.sourceforge.net
    • http://scripts.sil.org/OFL

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off00017686.bin
3727c19133a405459dd3b603a6510656e03afe7ef0e24a56aa8f82bb72e5fe63		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x17686 20261 bytes
font_00_sfnt_off0000e3ba.bin
846e219dae0d25f394bfccab070fb369b63806dec1758b09bb0edad344cec52e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE3BA 27008 bytes
font_01_sfnt_off0001381a.bin
ead21b12f64bedd53e4ded39d954def81bc5e87153c5ef1e0c0f8159bcdc6e4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1381A 5128 bytes
font_02_sfnt_off00014997.bin
f08172fcb5bacafd47eb07a78e3f775139ec2976e0befeb3031ed0eef4891e69		 pdf-font-stream PDF embedded font (sfnt) at offset 0x14997 14376 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.