Malicious PDF — malware analysis report

Static analysis result for SHA-256 f1e1202e3e2616aa…

MALICIOUS

PDF

63.7 KB Created: 2020-04-28 05:57:35 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b15f58ac516ec69bf40dfec983ad507c SHA-1: 123502020f54472d6170c7aac368355477e738fe SHA-256: f1e1202e3e2616aa6d6b8e5756dff42e579ea7567bc713175d5bbd2472e36639
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which point to other PDF files on various domains, suggesting a link farm or SEO poisoning tactic. The document body itself contains a lure related to 'beach buggy racing windows 10' and a URL pointing to a related HTML file, indicating an attempt to drive traffic to malicious or deceptive content. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://southeastasiastrategies.com/uploads/1/3/0/4/130483429/130483429.html#beach+buggy+racing++windows+10
    • http://buy-fedex.com/uploads/1/3/1/4/131407010/5136918.pdf
    • http://forevergardens.org/uploads/1/3/0/7/130776873/sazum-jibetes.pdf
    • http://petmaine.net/uploads/1/3/1/4/131453051/4664d00.pdf
    • http://yukotsuchihashinyc.com/uploads/1/3/0/2/130273791/602478.pdf
    • http://laxchicagoland.com/uploads/1/3/1/3/131383532/vobenexowedebaj.pdf
    • http://aultshypnotherapyandmassage.services/uploads/1/3/0/7/130739169/bokugifigigare_nigesojisota.pdf
    • http://insurancetailored.net/uploads/1/3/1/4/131407299/sikatigudana-duvuluro-jevivufi.pdf
    • http://cbarberart.com/uploads/1/3/0/7/130775842/4655495.pdf
    • http://tbspeo.com/uploads/1/3/0/5/130539084/6dec466e507275.pdf
    • http://thechocolatemoosesc.shop/uploads/1/3/0/7/130776589/b7a8586.pdf
    • http://hotdealmonthly.com/uploads/1/3/0/2/130288334/fbeb8e5.pdf
    • http://nextgenaccountingservices.com/uploads/1/3/0/2/130287314/sizamud-fusodidakawaji-ximaj-zakawijowu.pdf
    • http://onedogsstory.com/uploads/1/3/1/0/131071125/794529.pdf
    • http://dorseydeportfolio.com/uploads/1/3/0/4/130477945/pudararajo-zubumifetaza.pdf
    • http://cbarberart.com/uploads/1/3
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b84.bin
ebe692f707bad966e01334e224d4b885fd7a963042ca6ead98cc74ebc167d11e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B84 9120 bytes
font_01_sfnt_off0000ae25.bin
9ed503448582226ea1325b2f0071b2ad37e942f332bcf8a7e0385893b8ab16b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE25 12784 bytes
font_02_sfnt_off0000d710.bin
7e33e743f511c6698a8030eea68c6e3db8910a93c058a9a26aa1269a87ad8d7d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD710 17108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.