Malicious PDF — malware analysis report

Static analysis result for SHA-256 e7a545d9bb9cc48b…

MALICIOUS

PDF

38.2 KB Created: 2020-05-17 06:30:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b8ed4297b7a48ac4fe87dc1a10956f86 SHA-1: 3c48a698712902fed6c03ec67fef074de5fcb428 SHA-256: e7a545d9bb9cc48b1a93165d8a5e7303844056098a8b35ddd7693a38bea8f46b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, a technique often used to distribute malware or phish for credentials. The PDF_SEO_LINK_FARM heuristic indicates a deliberate attempt to create a link farm, likely to distribute malicious content or drive traffic to compromised sites. The ML_NYX_PDF_MALICIOUS score further supports the malicious nature of this document. No scripts were extracted, but the extensive link farm suggests a delivery mechanism for further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nfpboardwisdom.com/uploads/1/3/0/2/130272918/130272918.html#azure+stack+hci+deployment+guide
    • http://afcsnell.org/uploads/1/3/1/4/131408224/ketejugu.pdf
    • http://socalmrm.com/uploads/1/3/0/7/130739712/losedubiremisonebom.pdf
    • http://umorebrand.shop/uploads/1/3/0/3/130379696/kefazorojiriwefuw.pdf
    • http://newlineofficefurniture.com/uploads/1/3/0/7/130739619/jefirib.pdf
    • http://kevinachen.com/uploads/1/3/1/3/131384298/7700167.pdf
    • http://aimmos.org/uploads/1/3/0/8/130874671/viwiwo.pdf
    • http://larsonip.com/uploads/1/3/0/7/130739002/monoxuj.pdf
    • http://marcoscustomcabinetry.com/uploads/1/3/0/2/130288448/jijepuxuvufejamu.pdf
    • http://amazecareers.com/uploads/1/3/1/4/131482933/pegijugix_katigik_puxuze.pdf
    • http://sahalla.com/uploads/1/3/1/4/131452825/kiludesikuta.pdf
    • http://eggyums.com/uploads/1/3/0/4/130489149/vejadexogot.pdf
    • http://castilloconsultingpartners.com/uploads/1/3/0/7/130740022/vilomaxir.pdf
    • http://rainerhaycraft.com/uploads/1/3/1/4/131406441/22f74a1e.pdf
    • http://amiture2master.com/uploads/1/3/0/6/130620230/rudakegatalusin.pdf
    • http://deadballapparel.com/uploads/1/3/1/3/131398323/bae5af475.pdf
    • http://fijamulder.com/uploads/1/3/0/9/130969406/maratilibajanap_dutusag.pdf
    • http://designsivyou.com/uploads/1/3/0/7/130739129/8460568.pdf
    • http://tedxkarlovackagimnazija.com/uploads/1/3/0/5/130590279/21d26d35d59.pdf
    • http://valuedentalcarolinas.net/uploads/1/3/1/3/131380894/b2701baf6f44e.pdf
    • http://landsofparadise.us/uploads/1/3/0/2/130273803/21c67721a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b76.bin
aba1a82b42dd0e6ac2b483b80d89a0ee70aa1e762199bdd938b50cfe5aaf4093		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B76 9876 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.