Malicious PDF — malware analysis report

Static analysis result for SHA-256 003d8b7227684321…

MALICIOUS

PDF

35.9 KB Created: 2020-04-07 16:19:28 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bdb4e1908a80a73bcb5ea6af95a1ad47 SHA-1: 2677448ff896009f39f6261ef94774cfbc8a1099 SHA-256: 003d8b722768432184f62b392032e8733fc4ef35a91c2aa3c0177bc5c0eef1e9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by a machine learning classifier as malicious and contains a large number of external links, indicative of a link farm or phishing attempt. The document body, though partially corrupted, contains a title related to heat transfer experiments and embedded URLs, suggesting a lure to disguise the malicious intent. The primary function appears to be directing users to a network of potentially compromised or malicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://garysstorage.com/uploads/1/3/0/4/130489933/130489933.html#experimento+de+transferencia+de+calor+por+conduccion+conveccion+y+radiacion
    • http://suzannewilliamson.net/uploads/1/3/0/6/130621315/7020055.pdf
    • http://thonon-athletisme.com/uploads/1/3/0/4/130488583/rutisubukipef.pdf
    • http://lounttownship.com/uploads/1/3/0/8/130814329/resibuvakol-zenuzonunuda-zukuzis-kuwiget.pdf
    • http://parabellumkennel.com/uploads/1/3/0/6/130603925/9964364.pdf
    • http://redefineservices.com/uploads/1/3/0/9/130969986/6c9011.pdf
    • http://wildwifenaturalmexicanfood.com/uploads/1/3/0/6/130620364/2efe0.pdf
    • http://colorcountertops.com/uploads/1/3/0/5/130589416/3452740.pdf
    • http://aacustomsdesign.com/uploads/1/3/0/6/130620521/sijipumofeg_lorit_rifedimaparapaj.pdf
    • http://newerakc.com/uploads/1/3/0/7/130775942/8278375.pdf
    • http://gaysceneaustin.com/uploads/1/3/0/7/130776017/31d993e.pdf
    • http://hiddenriverwholesale.com/uploads/1/3/0/7/130739048/1795847.pdf
    • http://elder-well.net/uploads/1/3/0/2/130272551/e80e415.pdf
    • http://hebervalleyinsurance.com/uploads/1/3/0/9/130969873/2063225.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000637d.bin
68a3f6b3b73a31f75b7f1a7b83059231e51358e267dadd1233781c83bc8bceb6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x637D 7712 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.