Malicious PDF — malware analysis report

Static analysis result for SHA-256 f628c73fd59c3c95…

MALICIOUS

PDF

37.3 KB Created: 2020-03-24 21:10:57 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9a912750e1d53a908455c7335cf3ddb8 SHA-1: 30d62827c95388411b15ef7b8bb0e70760113393 SHA-256: f628c73fd59c3c9526eccb30d8dac1a545e3f9c578f4a63b4705c5e25726b786
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numerically or generically named, suggesting a link farm or SEO abuse tactic. The document body mentions 'I am pilgrim ebook free', indicating a lure to entice users to click on the embedded URLs. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external links points towards a distribution mechanism for further malicious content or phishing attempts.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jobo-natuurfotografie.com/uploads/1/3/1/3/131384368/131384368.html#i+am+pilgrim+ebook+free
    • http://mobisocial1.com/uploads/1/3/0/8/130813037/korevuzede.pdf
    • http://higginslakeministorage.com/uploads/1/3/0/5/130551331/8856fd.pdf
    • http://www.samanderson.me/uploads/1/3/0/3/130312972/8824268.pdf
    • http://celebrateinvitations.org/uploads/1/3/0/6/130604541/bdc068218e7b5.pdf
    • http://bridgetbloodphotography.com/uploads/1/3/0/8/130874289/6449368.pdf
    • http://thelaunchworx.com/uploads/1/3/0/2/130272278/01e3c8.pdf
    • http://www.alulina-shop.de/uploads/1/3/0/4/130436357/783ff658e96.pdf
    • http://jtagtutorial.org/uploads/1/3/0/5/130542758/luxemolurupinimolewo.pdf
    • http://www.harpsmobilephotography.com/uploads/1/3/0/5/130588681/xixojenifalovi_nipefurujo_desakumip_tiraz.pdf
    • http://moederfamily.com/uploads/1/3/0/7/130776889/665503.pdf
    • http://petalingjaya-properties.com/uploads/1/3/0/5/130543170/f45022b5.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000688a.bin
5dc385df40ce0dc73d996c7ea6956a73b280132e2bdddaebfb07fa53d46dd447		 pdf-font-stream PDF embedded font (sfnt) at offset 0x688A 8328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.