Malicious PDF — malware analysis report

Static analysis result for SHA-256 f68d7c034f152ceb…

MALICIOUS

PDF

47.3 KB Created: 2020-06-03 22:11:30 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b23e3c8a4d24a40256fec8ec3783ad47 SHA-1: bbc76b06f98ecff769a9f1c8d0dab84fb66dc624 SHA-256: f68d7c034f152cebcd4c8056c980802259654a4548cf8374db1ab93343d315a9
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or SEO manipulation tactic. The ML_NYX_PDF_MALICIOUS heuristic strongly supports the malicious classification. The embedded URLs point to various domains, likely serving as lures or redirects to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://haironpointyeg.com/uploads/1/3/0/2/130287992/130287992.html#igualmente+o+significado+bom
    • http://evergreencapital.org/uploads/1/3/1/8/131856184/d43b8.pdf
    • http://datemefoods.com/uploads/1/3/0/3/130379266/46630814262.pdf
    • http://dogoapparel.com/uploads/1/3/0/4/130478935/kapeninefo_bikiwo_jamawibifeji.pdf
    • http://walnutspringfarms.com/uploads/1/3/0/6/130621182/3155919.pdf
    • http://hi5.business/uploads/1/3/0/6/130605153/kivagaz.pdf
    • http://seadooimpeller.com/uploads/1/3/0/7/130776734/7552272.pdf
    • http://waterweeknorth.ca/uploads/1/3/0/5/130588656/3823715.pdf
    • http://kinneycustomdesigns.net/uploads/1/3/1/4/131483423/vomezu.pdf
    • http://louisebarnick.com/uploads/1/3/0/4/130435947/8476490.pdf
    • http://haironpointyeg.com/uploads/1/3/0/2/130287992/terms.html
    • http://haironpointyeg.com/uploads/1/3/0/2/130287992/dmca.html
    • http://haironpointyeg.com/uploads/1/3/0/2/130287992/policy.html
    • https://desebiwago475772
    • https://xapoteronov.files.wordpress.com/2020/06/manitetil.pdf
    • https://befutawoz.files.wordpress.com/2020/06/jolunasagivibukabaleno.pdf
    • https://wukuxolofis.files.wordpress.com/2020/06/84605740380.pdf
    • https://xodugunoku.files.wordpress.com/2020/06/nizirugagodigezewuk.pdf
    • https://desebiwago475772337.files.wordpress.com/2020/06/dolodikakisuzuline.pdf
    • https://tosenofa.files.wordpress.com/2020/06/15967332889.pdf
    • https://mavuwepezigi.files.wordpress.com/2020/06/gifizezutewibazuwoxoladid.pdf
    • https://murulejam.files.wordpress.com/2020/06/16365474956.pdf
    • https://migoxuwo.files.wordpress.com/2020/06/mosage.pdf
    • https://sazexaki.files.wordpress.com/2020/06/53541830354.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008701.bin
887f736f0e42ae470f78e37f8c194af7650a4b5aec5fdb05c06632d479958116		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8701 13444 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.