Malicious PDF — malware analysis report

Static analysis result for SHA-256 f88123ca6c29e9a5…

MALICIOUS

PDF

40.8 KB Created: 2020-06-09 23:42:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 98a1bf7f25258a04ad356af441bbd697 SHA-1: 9cebbfd0a8476175d2753f77835e5d9ddd2c581b SHA-256: f88123ca6c29e9a578e4b49841f51fb4b87f48fa7ca9e1041dd33bc741b8ec41
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a significant number of external links, a technique often used for SEO poisoning or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness. The primary malicious URL identified is http://to.undesirable.us/uploads/1/3/0/7/130738885/130738885.html#les+homophones+grammaticaux+le%25C3%25A7on, which is part of a larger link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://to.undesirable.us/uploads/1/3/0/7/130738885/130738885.html#les+homophones+grammaticaux+le%25C3%25A7on
    • http://thecrossingceltica.musicatozpodcast.com/uploads/1/3/0/5/130543472/zobotibu_juwoso.pdf
    • http://dashsmcfew.com/uploads/1/3/0/5/130538990/f0d5c1.pdf
    • http://livoutloud.org/uploads/1/3/0/9/130969888/f6800e71.pdf
    • http://racinesignshop.com/uploads/1/3/1/4/131438592/7541307.pdf
    • http://hostmaster.escapeonholiday.com/uploads/1/3/0/5/130588564/xedukibusuf.pdf
    • http://mbe2018abstractsubmssion.com/uploads/1/3/0/7/130776626/2856817.pdf
    • http://export-import.mn/uploads/1/3/0/8/130813372/lutigeko-boroz-zolowu.pdf
    • http://richmondhillestates.ca/uploads/1/3/0/2/130288380/girox_jovexakaxuloma_momakusu_fufinozaku.pdf
    • https://roxosarodu891716496.files.wordpress.com/2020/06/75087991872.pdf
    • https://komoziri.files.wordpress.com/2020/06/48028839573.pdf
    • https://xinuzipoxelu.files.wordpress.com/2020/06/jepemeredafo.pdf
    • https://xepuraligib.files.wordpress.com/2020/06/8668171318.pdf
    • https://posedupopuzu.files.wordpress.com/2020/06/76378815413.pdf
    • https://padonadite.files.wordpress.com/2020/06/85564341516.pdf
    • https://mawefewo.files.wordpress.com/2020/06/nized.pdf
    • https://bazaroguj.files.wordpress.com/2020/06/jufojixadojusaj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d05.bin
8bcb56590ce76b08a67fd27f5f08b633ab7d60351bda79d4b5f33b20cc08edb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D05 12408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.