Malicious PDF — malware analysis report

Static analysis result for SHA-256 fdc3da91f99ce862…

MALICIOUS

PDF

33.5 KB Created: 2020-04-27 02:22:37 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9a2f7273c7e186d7294860665ff97de2 SHA-1: 9c46c1874a2498603f4f9581e7ec9a9788a83bdd SHA-256: fdc3da91f99ce8622c69b92d8c4c567a82f6caef555245f2450ef215b7df5a62
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are numerically or generically named PDFs hosted on various domains. This pattern is indicative of a link farm or SEO poisoning technique, designed to drive traffic to potentially malicious sites. The document body, while appearing to be an answer key, contains embedded URLs that lead to these external resources. No scripts were extracted, but the sheer volume and nature of the external links strongly suggest a malicious intent to redirect users.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://4angelstshirts.com/uploads/1/3/1/3/131382673/131382673.html#atomic+structure+practice+1+worksheet+answer+key
    • http://goldmanassetrecovery.com/uploads/1/3/1/3/131398019/lizakiwo.pdf
    • http://drlisagoldman.com/uploads/1/3/0/5/130590162/4751007.pdf
    • http://birminghamreformed.org/uploads/1/3/1/3/131383541/werikumajiride-gizuw-rubima.pdf
    • http://inthereins.com/uploads/1/3/0/7/130739706/niwolu.pdf
    • http://forgingtheuncommonlife.com/uploads/1/3/0/6/130639683/rudiberedipopur.pdf
    • http://cuzzllc.com/uploads/1/3/0/7/130775775/8294947.pdf
    • http://clarinnes.org/uploads/1/3/0/8/130813416/buvujazojagasug.pdf
    • http://shopity.space/uploads/1/3/1/4/131406947/5670816.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059b4.bin
af840f25a022e9fa4d9e4350dbad3e4553ed0830d33efb287e8db2a8796596fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59B4 8328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.