Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff1f00bb5feac97d…

MALICIOUS

PDF

26.8 KB Created: 2020-04-24 07:33:46 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 15dade25e70aeadc5abf698d47733c8c SHA-1: e5b1248b4bcc72bbac4e8d2bb650538f31b00a1c SHA-256: ff1f00bb5feac97d5f5330399e1db978b16dff2df4d806a72d031c59f1b4da48
92 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to various domains, many of which appear to be SEO-optimized PDF hosting sites. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this is a link farm designed to drive traffic to these pages. The embedded URL 'http://goldsmitsydnor.com/uploads/1/3/1/0/131070792/131070792.html#software+quality+assurance+lecture+notes+pdf' further supports this, as it appears to be a lure for specific content. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9951

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://goldsmitsydnor.com/uploads/1/3/1/0/131070792/131070792.html#software+quality+assurance+lecture+notes+pdf
    • http://cambridgeoncologymassage.com/uploads/1/3/0/6/130621744/tazupimatimonem.pdf
    • http://richwifeclub.com/uploads/1/3/0/4/130489168/4910374.pdf
    • http://videogametester-jobs.com/uploads/1/3/0/7/130775934/b9fc4b5.pdf
    • http://ammoheadquarters.com/uploads/1/3/0/6/130621485/17ba8df59474.pdf
    • http://irenegallionart.com/uploads/1/3/0/4/130435694/dekibe-mokejojo-woraranawu.pdf
    • http://lynn-liu.com/uploads/1/3/0/5/130588529/dezeruxuzane.pdf
    • http://teccsfsa.org/uploads/1/3/0/5/130588564/fapaneji.pdf
    • http://inspirecareconsultancy.com/uploads/1/3/0/5/130543141/jewunokutew_mowoj_wibosera.pdf
    • http://ksblogostics.net/uploads/1/3/1/4/131437667/7b8322.pdf
    • http://restoredlearning.com/uploads/1/3/0/3/130379365/7954186.pdf
    • http://pureo.ca/uploads/1/3/0/9/130969327/bexamoderekewifi.pdf
    • http://richardmolyneux.com/uploads/1/3/0/8/130814510/talupewonixurixar.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.