Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8f2d6feaa8693df…

MALICIOUS

PDF

45.6 KB Created: 2020-05-19 20:54:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9ac921251320f74a483cc543c86e416a SHA-1: e61df73b202e2e595acbafb6a292d43e57b0e326 SHA-256: e8f2d6feaa8693df81edea017301cfde524dbb49e079db6d5d84430d71d1873e
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a mass external link farm, with over 30 links pointing to various domains. The primary purpose appears to be SEO poisoning or distributing malicious content via these numerous external links. The document body contains garbled text and what appears to be metadata from the wkhtmltopdf generator, suggesting it was programmatically created to host these links rather than for user consumption.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ceticubatours.com/uploads/1/3/0/6/130620731/130620731.html#pont+de+wheatstone+exercice
    • http://thefestiebestie.shop/uploads/1/3/0/6/130604045/ee56fe39fa8d2e.pdf
    • http://theethicalstrawco.com/uploads/1/3/0/6/130621061/pikajuxamalubavoko.pdf
    • http://holdmetightcouplesworkshop.com/uploads/1/3/0/4/130488875/wusapipujivox_xetuduzifasomur.pdf
    • http://scbconsultoria.com/uploads/1/3/0/5/130588435/178109.pdf
    • http://risingblades.com/uploads/1/3/1/4/131438111/4035755.pdf
    • http://theparriottgroup.com/uploads/1/3/0/3/130313158/4033722.pdf
    • http://churchsoftwareprogram.com/uploads/1/3/0/7/130739460/8675860.pdf
    • http://melton-plumbing-portal.com/uploads/1/3/1/4/131437306/66103af73917.pdf
    • http://wwwpremiersidingandroofing.com/uploads/1/3/0/2/130291585/ratakonirifad.pdf
    • http://greenhillpm.com/uploads/1/3/0/4/130483869/ecc3669.pdf
    • http://zongatron.com/uploads/1/3/1/4/131407377/6295839.pdf
    • http://greeneyedmonstersinc.com/uploads/1/3/0/9/130969796/lamosirabewe.pdf
    • http://atriumgrandballroom.com/uploads/1/3/0/5/130551641/5e361.pdf
    • http://evolinecorp.com/uploads/1/3/0/8/130814292/vatijowogixatasug.pdf
    • http://evaairways.org/uploads/1/3/1/3/131398022/5967386.pdf
    • http://economicsocialjustice.org/uploads/1/3/0/5/130590432/8278185.pdf
    • http://grupodibox.com/uploads/1/3/0/4/130483806/1266180.pdf
    • http://theessentialmind.com/uploads/1/3/1/0/131070186/vititanezupaduw-nemawifepuxogi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006dc4.bin
06f118efd315ae070eedb501e07b92eeb970371d3e355c7ace7165ff4e14428a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DC4 11816 bytes
font_01_sfnt_off000093f7.bin
c988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93F7 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.