Malicious PDF — malware analysis report

Static analysis result for SHA-256 eaa13ebbd6ad0446…

MALICIOUS

PDF

35.8 KB Created: 2020-04-01 17:42:14 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 01183e051273474cd10464f58d21c26b SHA-1: 0a928850ac63b1b47ac75cd3ebbea6cab62b0848 SHA-256: eaa13ebbd6ad04469072530fa640da4d851789666ad6722b68804228d400eb5a
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are hosted on domains that appear to be part of a link farm. The document body, though partially corrupted, suggests a lure related to 'Guess the brand' answers. The presence of PDF_SEO_LINK_FARM and PDF_URI heuristics, along with ClamAV detection as Pdf.Dropper.Agent-9251230-0, strongly indicates this PDF is designed to redirect users to malicious content or download further payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Dropper.Agent-9251230-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Dropper.Agent-9251230-0
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://doblemservices.org/uploads/1/3/1/4/131454766/131454766.html#guess+the+brand+answers+level+140
    • http://adyamanagement.com/uploads/1/3/0/6/130621176/1523449.pdf
    • http://ensembleeroicalondon.com/uploads/1/3/0/4/130489122/gonodelal-diwikutem-gobulezu.pdf
    • http://jackiewatson.ca/uploads/1/3/0/2/130289595/xetasi.pdf
    • http://chalkboardsocial.com/uploads/1/3/0/6/130640183/1681504.pdf
    • http://ox-cart.com/uploads/1/3/0/2/130288567/4118031.pdf
    • http://moovsterrelocation.com/uploads/1/3/0/4/130488199/7286252.pdf
    • http://njusic.net/uploads/1/3/0/7/130738591/rowol.pdf
    • http://affordablecustomgraphics.net/uploads/1/3/0/6/130621361/vakogokomeri.pdf
    • http://mydripconnect.com/uploads/1/3/1/1/131164386/668bb5a8cd288.pdf
    • http://thetmquinlan.com/uploads/1/3/0/5/130550929/2634539.pdf
    • http://www.quiltingcreationsbyamelia.org/uploads/1/3/0/6/130620794/46727827fb.pdf
    • http://regencyhotelhumbletx.com/uploads/1/3/1/3/131379928/7eac9d3.pdf
    • http://voelter-s.de/uploads/1/3/0/4/130436095/barixuxavanik_kifuj_miraluwatimisa.pdf
    • http://bobbysuttonrealtor.net/uploads/1/3/0/6/130639027/kidukaza.pdf
    • http://cfthomas.com/uploads/1/3/0/5/130540083/tavirevozuzogonas.pdf
    • http://radoynovska.com/uploads/1/3/0/9/130969514/eb82c78cac25b.pdf
    • http://easyintegradora.com/uploads/1/3/0/2/130289171/paxatiwasidale.pdf
    • http://craftyknotts.com/uploads/1/3/1/1/131163977/9610441.pdf
    • http://ibmseduc.com/uploads/1/3/0/6/130639042/rupiburekekun.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000649d.bin
349e9b6621b6828b0a8308b137afabd953b48c60226af701e869d21e844a98bb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x649D 7480 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.