Malicious PDF — malware analysis report

Static analysis result for SHA-256 02f95761357a0469…

MALICIOUS

PDF

41.4 KB Created: 2020-04-25 04:01:37 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 1cbe8962d206266399d8dfe07a1c1936 SHA-1: fc1f1fd3a4d044cac904543d06c2f19fb941cd9e SHA-256: 02f95761357a0469983ea9dd0907c23fc6632a6b0e7dc2de28d8273b7751b1e5
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The primary URL points to a document that appears to be a lure, referencing 'Affluent society galbraith pdf'. While no scripts were explicitly extracted, the presence of numerous external links suggests a potential for hosting malicious content or redirecting users to phishing sites. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://russolawoffice.com/uploads/1/3/0/6/130621349/130621349.html#affluent+society+galbraith+pdf
    • http://screscentoutfitters.com/uploads/1/3/0/8/130874305/2835830.pdf
    • http://autoconciergeservice.com/uploads/1/3/0/6/130640078/lugeb.pdf
    • http://bcdebate.org/uploads/1/3/0/5/130546096/totepusamimap.pdf
    • http://wendyturnerart.com/uploads/1/3/0/6/130620345/pejixogigut.pdf
    • http://reconciliarte.org/uploads/1/3/1/0/131071127/4063793.pdf
    • http://alldomesticcustomcleaning.com/uploads/1/3/1/3/131384145/52497af0.pdf
    • http://rightwaymovers.net/uploads/1/3/1/6/131637658/jonosubelafujusi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a72.bin
1625a7bbea6c453936116755d91de76e80e7f9874c797a671476e06629113595		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A72 8128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.