Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff6fd2c55ad0ec1e…

MALICIOUS

PDF

29.5 KB Created: 2020-04-27 00:37:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 300c7e5ba71c905997bff54d236ade05 SHA-1: a6d3dedaab4099ea7ffc0904155fd833644a791e SHA-256: ff6fd2c55ad0ec1e7808c346cf01156e7fbec1e322f63fc13773870c1b01a9fd
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

This PDF file contains a large number of external links, many of which point to other PDF files hosted on various domains. The document body mentions 'Angry birds rio hacked version apk', suggesting a lure to trick users into downloading malicious content. The presence of numerous SEO-optimized links and the ML classifier's high confidence score indicate a malicious intent to distribute further malware or phishing content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9949

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tirsa.net/uploads/1/3/0/8/130814145/130814145.html#angry+birds+rio+hacked+version+apk
    • http://trumpinbrief.com/uploads/1/3/1/4/131408832/d3d202f6072336f.pdf
    • http://waynespaintingservices.com/uploads/1/3/0/5/130551927/kelomajitafijar.pdf
    • http://mylighthouselearning.com/uploads/1/3/0/4/130476039/5551423.pdf
    • http://freeconceptimmo.com/uploads/1/3/1/4/131438113/ronixedijefevagifiri.pdf
    • http://mx-londinieres.com/uploads/1/3/1/3/131380627/5555273.pdf
    • http://frenyella.com/uploads/1/3/0/4/130491488/1073756.pdf
    • http://nc-customdesigns.com/uploads/1/3/0/8/130814042/nakukapiropudakogu.pdf
    • http://shopsunnyann.com/uploads/1/3/1/3/131382497/nabebudak.pdf
    • http://ejburke.org/uploads/1/3/0/5/130589331/9477033.pdf
    • http://taylorandnicolescott.com/uploads/1/3/1/4/131414516/12b543ab.pdf
    • http://aerosportoutfitter.com/uploads/1/3/0/5/130539597/waxonesoluzuwel.pdf
    • http://canonuevo.com/uploads/1/3/0/6/130639708/4088219.pdf
    • http://jenssolutions.com/uploads/1/3/0/6/130639309/022d844877.pdf

Open this report in the interactive analyzer, or submit your own file for analysis.