Malicious PDF — malware analysis report

Static analysis result for SHA-256 ea1a5180a89d43ae…

MALICIOUS

PDF

64.4 KB Created: 2020-04-11 20:10:08 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ac0d8bf08c92dbae26e087041df3c2b4 SHA-1: 09c56cc17e0dd5b90b80f1b1db9033fe02de5524 SHA-256: ea1a5180a89d43ae7be8926f16ee138c7720bb22ad0c8cfaa91fc32e9df01f8b
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The ML classifier also flagged this PDF as malicious. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9767

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blackdadsrock.net/uploads/1/3/0/8/130874681/130874681.html#sistema+de+numeracion+chino+y+sus+reglas
    • http://biswajit.com/uploads/1/3/0/7/130776476/1531461.pdf
    • http://twotraditionsco.com/uploads/1/3/1/4/131407918/vovegubupa-davofuxol-zowina.pdf
    • http://thresholdlife.com/uploads/1/3/1/6/131606390/7326270.pdf
    • http://healthypins365.club/uploads/1/3/0/7/130739533/d8701a0e8.pdf
    • http://wilsononerealty.com/uploads/1/3/0/5/130539886/midenorenurij_bazur_xibev_xinoxan.pdf
    • http://solesbeeco.com/uploads/1/3/0/2/130287875/247244299494.pdf
    • http://kiahkayser.com/uploads/1/3/1/3/131379179/bikapumesune.pdf
    • http://111-pod.site/uploads/1/3/1/4/131453087/cfc200379e5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009fb6.bin
bcd727761cb88e8a80ee449870c03661d71101642e6638babb690eb9998a888d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9FB6 9104 bytes
font_01_sfnt_off0000c076.bin
683f7956c71ef1ab32ccade143e5e9971a1eaf98adbb4b17881b04eb77ce5ed8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC076 3168 bytes
font_02_sfnt_off0000cb88.bin
3dd688ab56f3fed5cf3c1855750d1d26e49382fa0002b15b011abd3a66bf4c3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCB88 5264 bytes
font_03_sfnt_off0000dc99.bin
d02e5ef318b8350eeefe001531a0238643f3a9a1c172bf162cb8bc32c0933ee7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDC99 16388 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.