Malicious PDF — malware analysis report

Static analysis result for SHA-256 ebf80963eeca6694…

MALICIOUS

PDF

34.3 KB Created: 2020-05-13 19:55:40 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 026267a9ec29c93e99c549cb73b058b0 SHA-1: cf0c30792786f12c4864382e96031ccdc5daf0a2 SHA-256: ebf80963eeca669419ced0ac9a9eaad24e65b24b7c04443ef18025a5cec75ca0
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was flagged by a machine learning classifier as malicious. It contains a large number of external links, many of which point to PDF files on various domains, suggesting a link farm or redirection strategy. The primary attack pattern appears to be the distribution of numerous external links, likely intended to manipulate search engine results or lead users to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://2016toyotalandcruiserawd.com/uploads/1/3/0/8/130813514/130813514.html#concave+mirror+always+forms+a+virtual+image
    • http://mhlansdalellc.com/uploads/1/3/1/6/131636948/zagupabisoso_xemisebiwujozez.pdf
    • http://buygoodpot.com/uploads/1/3/0/3/130324030/36ec1.pdf
    • http://oregondollhouse.com/uploads/1/3/0/4/130476407/siruxe-ziwegetapazap.pdf
    • http://spassparadiesdienstleistung.ch/uploads/1/3/0/7/130740563/posirelosuvugoritewo.pdf
    • http://lafe.org/uploads/1/3/0/6/130604588/4017281.pdf
    • http://savvysexystyle.com/uploads/1/3/0/6/130604344/zotowar.pdf
    • http://craftsbycarmen.com/uploads/1/3/0/4/130435895/8955738.pdf
    • http://mypomrocks.com/uploads/1/3/0/6/130620731/7068118.pdf
    • http://propertyprossoyoucanenjoyyourvacation.com/uploads/1/3/0/8/130874001/5efc23.pdf
    • http://queblesolutions.com/uploads/1/3/1/3/131381036/5b7197c180ba.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005655.bin
68d094faf81d2ea9f62e68ee4e789e40b6192f27e323b9e50c58fbaa8f881837		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5655 2900 bytes
font_01_sfnt_off00006092.bin
bc374f853ba4b7970f53d249db07b11ee1e8112d7c4fd11d93ace0f5c82c8530		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6092 9820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.