Malicious PDF — malware analysis report

Static analysis result for SHA-256 e84a874009da79ba…

MALICIOUS

PDF

36.0 KB Created: 2020-06-24 12:07:55 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a0ae2bf18d177cca3515a8b0aa427864 SHA-1: 8349332e09ffdd531bb6c23f484e86bdc55064c6 SHA-256: e84a874009da79bad6a0b42b758c517d701e73f550846df368463960db7f921e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or distribution network. The ML classifier strongly flagged this PDF as malicious. The document body itself is heavily obfuscated but contains references to the URLs, suggesting the primary purpose is to redirect users to these external resources. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://friendshipforceoregon.org/uploads/1/3/0/6/130603884/130603884.html#hania+czajkowski+libros+pdf
    • http://best-auto.org/uploads/1/3/0/4/130483739/dcf6715a.pdf
    • http://mta-sts.mail.clickingcanvases.com/uploads/1/3/1/8/131856394/9191450.pdf
    • http://mtvfc2.org/uploads/1/3/0/4/130483820/0406cd75e6.pdf
    • http://brainbrandllc.com/uploads/1/3/0/7/130739817/4557845.pdf
    • http://usafanfanatics.com/uploads/1/3/0/7/130740323/5378770.pdf
    • http://mail1.whatusee.co.za/uploads/1/3/0/8/130874198/wavabudaxojigelafuju.pdf
    • http://hostmaster.xerbox.ch/uploads/1/3/0/6/130604605/tibori_kusagizigivife_mazefis.pdf
    • http://cpanel.luciferianwatch.com/uploads/1/3/1/8/131856326/jolevameb.pdf
    • http://mail.browbeginnings.com/uploads/1/3/0/8/130815381/mofekud.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004c6b.bin
30b77d45725d3504c498dfe42a80d3e2fc2387f01fae77c942a9ca775a6710e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4C6B 5120 bytes
font_01_sfnt_off00005dda.bin
89fbae4db4aeb4386674e5fecadfdfeae2ab9894f8310a6ca1938a4847e9021b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DDA 11284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.