Malicious PDF — malware analysis report

Static analysis result for SHA-256 02e98a83768adca9…

MALICIOUS

PDF

40.3 KB Created: 2020-03-09 07:02:21 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 37b6ca68bdbd4fdf95ffe763a77c57d9 SHA-1: 82c0b16d52ddbdd2be4a79b78d50be5bca79525a SHA-256: 02e98a83768adca9bccc74b4d89a0a9b8233f8d4a438689c8fcd76bd066a86a2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The PDF contains a large number of external links, a technique often used for SEO manipulation or to redirect users to malicious content. The ML classifier strongly indicated maliciousness, and the PDF structure suggests it's designed to host or link to numerous other PDF files, potentially as part of a link farm or a content distribution network for malware. No scripts were extracted, limiting the analysis of direct execution vectors.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://westcoastescrrow.com/uploads/1/3/0/6/130621058/130621058.html#passive+voice+or+active+voice+exercises
    • http://cancercoloring.com/uploads/1/3/0/2/130272898/figisuxigitapagakewi.pdf
    • http://yayasanmelati.org/uploads/1/3/0/6/130621191/2508407.pdf
    • http://djstreasurechest.com/uploads/1/3/0/5/130550858/mivesivu.pdf
    • http://lakesidestories.com/uploads/1/3/0/4/130435561/vefokamufutex.pdf
    • http://stygianvineyards.com/uploads/1/3/0/6/130605168/fa8142b80cc3.pdf
    • http://appzel.com/uploads/1/3/0/7/130739086/9638484.pdf
    • http://nickandgraceguy.com/uploads/1/3/0/7/130775645/8326939.pdf
    • http://jeanettemurphy.net/uploads/1/3/0/6/130639298/a628573.pdf
    • http://www.beautifulblcs.info/uploads/1/3/0/7/130740596/3e7f9b9502.pdf
    • http://www.swatantrafoundation.org/uploads/1/3/0/4/130488320/nemadiwoj-kulumizorovesa-vomiwifazubute.pdf
    • http://jokessofunny.com/uploads/1/3/0/8/130813409/dabadum.pdf
    • http://veloswingfestival.com/uploads/1/3/0/8/130813639/074deafb4.pdf
    • http://connect.barandudacommunitychurch.org/uploads/1/3/0/6/130640114/soxof-vafetesis.pdf
    • http://www.haleyhewittmft.com/uploads/1/3/0/2/130287875/829146.pdf
    • http://providencecard.com/uploads/1/3/0/7/130776262/bitojudufofugeg.pdf
    • http://healingfromtheinsideout.net/uploads/1/3/0/4/130435762/6879641.pdf
    • http://derig.host/uploads/1/3/0/6/130621663/buwigesesivew_fulobepag.pdf
    • http://tomryan.com.au/uploads/1/3/0/5/130590325/rilisudi.pdf
    • http://21stcenturyink.com/uploads/1/3/0/7/130776304/nuraf_guzusigejuvagor_dinezajonizo_xoxavegalijet.pdf
    • http://matchboxgifts.com/uploads/1/3/0/6/130605206/mumezevusoduwam_togun_kisejazel_xiduvusezekeli.pdf
    • http://holagatito.com/uploads/1/3/0/5/130539840/dedubumimu_xusikezi.pdf
    • http://cesarmorancahusac.com/uploads/1/3/0/5/130589214/rozexejimema.pdf
    • http://microsoft-office-365.online/uploads/1/3/0/3/130379305/walotinupi.pdf
    • http://www.shalini-rajan.com/uploads/1/3/0/4/130490410/rapifof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007534.bin
3d72ea6f9cf949bef7d55668c5438b4799894db803a36409a1445bf4e41af2c1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7534 7764 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.