Malicious PDF — malware analysis report

Static analysis result for SHA-256 ecfb66ed8040e4d9…

MALICIOUS

PDF

131.8 KB Created: 2020-04-21 07:00:07 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ba37d910bf7faa72b837af6eb93f4801 SHA-1: 0c3b25613355518a9e09c64c77afef275c6505a1 SHA-256: ecfb66ed8040e4d9b88c22aa9a53f5fbdcbe92b01645dc4622e835006c9f9c11
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains, indicating a link farm or SEO abuse tactic. The document body mentions 'Ambulance carry sheet', which is likely a lure to encourage users to click on the embedded links. The ML classifier strongly flagged this PDF as malicious. No scripts were extracted from this sample, limiting the analysis of direct execution behavior.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ne-surgerycenter.net/uploads/1/3/0/4/130483808/130483808.html#ambulance+carry+sheet
    • http://cascadiatrading.com/uploads/1/3/0/6/130604090/givanizud_bubiworuw_wolun_majomofawipopor.pdf
    • http://graceyukich.com/uploads/1/3/0/6/130603798/4fd7fe52b.pdf
    • http://awakeningtogetherglobally.com/uploads/1/3/0/7/130776328/kotagilireje.pdf
    • http://bigpacifier.com/uploads/1/3/0/4/130475964/25c5daaca28a3e8.pdf
    • http://skinnylaxi.com/uploads/1/3/0/3/130379841/9871460.pdf
    • http://pnpwednesday.com/uploads/1/3/0/6/130604473/363235.pdf
    • http://brenda4villa.com/uploads/1/3/0/9/130969355/2128107.pdf
    • http://bobwillmusforroseville.com/uploads/1/3/0/5/130588803/guxapiw.pdf
    • http://annleebooks.com/uploads/1/3/0/8/130874347/lolusewibini-dafedagalefetik.pdf
    • http://v-test.net/uploads/1/3/0/6/130639024/0e7b61b25016.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001cf8f.bin
7e17b02b3121fb0ad149f884d95c1332a7882c6ec8c4825578a7ebace989c2b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CF8F 11236 bytes
font_01_sfnt_off0001f783.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1F783 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.