Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8733d24bd5969d9…

MALICIOUS

PDF

67.9 KB Created: 2020-06-22 09:52:17 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 01acc3cb3571db6f7bba8c75d80c2435 SHA-1: 9804c8ddc0cb761923652e12424a4b0fccc5312b SHA-256: e8733d24bd5969d9fbd869b96187bfc9f2c15049df2defe769cf448d384cdf2c
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, a technique often used for SEO spam or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness. The document body and extracted URLs suggest a link farm designed to drive traffic to various domains, likely for malicious purposes. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://megantuckernationalcertification.com/uploads/1/3/0/6/130621084/130621084.html#guide+book+writer
    • http://brunson-insurance.com/uploads/1/3/1/3/131398336/dumozexafum.pdf
    • http://bellebaeuk.com/uploads/1/3/0/5/130550903/dewaluga_totodosiro.pdf
    • http://hometravel.org/uploads/1/3/0/9/130969525/kiluluwanikel.pdf
    • http://garynolan.ca/uploads/1/3/0/5/130588497/b95b8400cb30e19.pdf
    • http://cpanel.cabincreekfarmstudio.com/uploads/1/3/1/0/131070566/gadorusupomob_vebate_janejati.pdf
    • http://team5dm.com/uploads/1/3/0/4/130477131/7604448.pdf
    • http://mrmartinez.info/uploads/1/3/0/6/130621648/748697.pdf
    • http://gleamla.org/uploads/1/3/0/4/130435706/57b01817a599.pdf
    • http://mx.ecjc.net/uploads/1/3/1/4/131482882/xabitezimaj.pdf
    • http://jlgaproperties.com/uploads/1/3/0/7/130775755/wijavopivubafej.pdf
    • http://cmanmedia.com/uploads/1/3/0/8/130873902/xobubogelu_sifujejipuruxa_mitajuni_tajedi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000cdf2.bin
00776971e848a8ce614ac83c4d2038d256422a56302f09487b93e2b1ba289e40		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCDF2 4500 bytes
font_01_sfnt_off0000dd64.bin
8fc81d24a86e681186b9039b7553d132d64f8c1f1779e53f3335005863b4203f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDD64 11372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.