Malicious PDF — malware analysis report

Static analysis result for SHA-256 feab290e99ee2f8f…

MALICIOUS

PDF

34.4 KB Created: 2020-04-03 13:26:46 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bb4f21e51f3ad76f3d6f545ce4843d56 SHA-1: 6027e8495f1c9b85083d2e6cd1668a5823e6049b SHA-256: feab290e99ee2f8fb7dd2c429bfba7574dbf9c86ffc3c85b1c79ce6745c8e8b5
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier also flagged this PDF as malicious with high confidence. The document body contains text related to a 'Covalent bond naming practice worksheet', which appears to be a lure to disguise the malicious intent of linking to numerous unrelated domains. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://growmygardens.com/uploads/1/3/1/4/131483265/131483265.html#covalent+bond+naming+practice+worksheet
    • http://comtypsi.com/uploads/1/3/0/4/130488470/titoveputisop.pdf
    • http://crucialdesigns2020.com/uploads/1/3/0/4/130488252/ab93cffe52.pdf
    • http://maturefaps.com/uploads/1/3/0/8/130814056/e114eaad8d51e38.pdf
    • http://imagodei.biz/uploads/1/3/0/2/130288549/zogixiz_jewuviwe_kuniker.pdf
    • http://cyclebavaria.com/uploads/1/3/0/7/130739495/bowojavozo.pdf
    • http://beautifulwomenofdestiny.com/uploads/1/3/0/4/130491271/fegurodetizaru.pdf
    • http://sparkstrategicconsulting.com/uploads/1/3/0/8/130813516/7b8d007d0e43.pdf
    • http://robinstremlowyoga.com/uploads/1/3/0/9/130969053/3513891.pdf
    • http://mecanicienindustriel.com/uploads/1/3/0/5/130552053/vufelaxuxunebiv.pdf
    • http://divinehealinghands.studio/uploads/1/3/0/6/130639224/d01a39e208a.pdf
    • http://silverstoneacademy.com/uploads/1/3/1/4/131452883/2943939.pdf
    • http://artisanvegane.net/uploads/1/3/0/2/130289304/peveledemenagorux.pdf
    • http://spinzoom.com/uploads/1/3/0/3/130313161/ketizilo.pdf
    • http://tawnellhobbs.com/uploads/1/3/0/5/130539354/fiverexovo.pdf
    • http://prams.pl/uploads/1/3/0/7/130775475/39357.pdf
    • http://effective-analytical-chemistry-llc.com/uploads/1/3/0/4/130483429/a57175a500e.pdf
    • http://transenergy.us/uploads/1/3/0/7/130739944/gezapudu.pdf
    • http://kavatravelbureau.com/uploads/1/3/0/4/130476572/zogakof.pdf
    • http://aapnebobber.no/uploads/1/3/1/3/131380901/vofelexi-wixudigiz-benoteraniw-wififawapaki.pdf
    • http://johnpacewrites.com/uploads/1/3/0/3/130324206/tekenotolipuke_turage.pdf
    • http://ic1love.com/uploads/1/3/0/2/130287878/afe891fb.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005e2b.bin
9579cf7ef5f0f88d5574c04182b0ddbb8da01314498220b5dae8e2b2f16e8cd5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5E2B 7044 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.