Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9d5eaf93534f123…

MALICIOUS

PDF

116.1 KB Created: 2020-06-12 13:18:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: a2d7d670eac9040b0e753291d780866d SHA-1: a598d1fc2811d4157683c5a4c1495a90852d590f SHA-256: e9d5eaf93534f123914de83648ac9e02f760e720d9fa3f3c01d7ae0aaacd7a08
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a phishing campaign. The ML_NYX_PDF_MALICIOUS heuristic also strongly indicates malicious intent. No scripts were extracted from this sample, and the document body was not sufficiently readable to determine a specific lure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://suntidetravels.xsideas.com/uploads/1/3/0/6/130620436/130620436.html#%25D8%25A5%25D8%25B9%25D8%25A7%25D8%25AF%25D8%25A9+%25D8%25AD%25D8%25B3%25D8%25A7%25D8%25A8+%25D8%25AA%25D9%2583%25D9%2584%25D9%2581%25D8%25A9+%25D8%25B7%25D8%25A7%25D9%2588%25D9%2584%25D8%25A9+%25D8%25A7%25D9%2584%25D8%25A8%25D9%2584%25D9%258A%25D8%25A7%25D8%25B1%25D8%25AF%25D9%2588
    • http://velvetbuddhaarts.com/uploads/1/3/0/6/130639528/xoxuxavulepoxa.pdf
    • http://merrikfish.com/uploads/1/3/0/7/130738975/f6047824c315d4.pdf
    • http://arpsecure.com/uploads/1/3/0/6/130604952/4032af98a165a8.pdf
    • http://74-123-73-221.mgwnet.com/uploads/1/3/1/6/131636833/vuromifob_nigajomoxune_gifubasufu_xuwenufulorekil.pdf
    • http://tflowmusicgroup.com/uploads/1/3/0/2/130287426/83652b01ec2dd7a.pdf
    • http://2u.undesirable.us/uploads/1/3/1/4/131438432/5616b0f0.pdf
    • http://marthamckaydesign.com/uploads/1/3/0/9/130969623/jakesusofutole.pdf
    • https://kidubivo.files.wordpress.com/2020/06/joxafazidox.pdf
    • https://nitodixusaki813822408.files.wordpress.com/2020/06/69699004089.pdf
    • https://ruxejetufe.files.wordpress.com/2020/06/93207694891.pdf
    • https://lotodirod.files.wordpress.com/2020/06/9328407337.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_005_off00016006.bin
e1eafc0df3aad042b8121c4590023946804eedfd49ab7530a9421696501b9e14		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x16006 36172 bytes
font_00_sfnt_off00013352.bin
fa72874b8c381873b432d3b5cea9ecddba20f04e8e1c9face7d560df1136061a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13352 6588 bytes
font_01_sfnt_off000143c0.bin
73adb1761e0dfc70226edd9bb5741de62e12b971cc34a7bc937f241c2a501a95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x143C0 8444 bytes
font_03_sfnt_off0001a03d.bin
e8edb02a3a8445e77fdd9c8fecee1ef2e31ac8e3d8b567927c3b79e91a5f98f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A03D 9516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.