Malicious PDF — malware analysis report

Static analysis result for SHA-256 03b49253b73f5073…

MALICIOUS

PDF

94.7 KB Created: 2020-04-24 11:39:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c8e448c345e0c417d18870ee65d90e16 SHA-1: 98ae76b3a7af94d59185a9387f2dc0a0b9af3be8 SHA-256: 03b49253b73f507348efe105b20294f96cf0393fa7b553df008b4a04ad2086e2
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains numerous links to external resources, many of which appear to be part of a link farm designed to obscure malicious intent. The 'SE_REMOTE_SUPPORT_LURE' heuristic indicates the document's content likely instructs the user to install or connect with a remote support tool, a common tactic for social engineering attacks. The ML classifier also flagged this PDF as malicious with high confidence.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9855

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Remote-support tool lure high SE_REMOTE_SUPPORT_LURE
    Document instructs the user to install, open, or connect with a remote-support tool such as AnyDesk, TeamViewer, Quick Assist, or ScreenConnect — high-risk in an unsolicited document
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mainstreetartcenter.net/uploads/1/3/0/6/130621467/130621467.html#nick+app+apkmirror
    • http://bradmcfarlane.ca/uploads/1/3/1/1/131164033/5c68bf.pdf
    • http://celizia.com/uploads/1/3/0/5/130547024/zegitijuva.pdf
    • http://cchswritingcenter.org/uploads/1/3/0/5/130551607/timatotusadim_linaluxefemuv.pdf
    • http://shop-offbeat.com/uploads/1/3/0/7/130775048/2688115.pdf
    • http://holypost.us/uploads/1/3/0/6/130604493/2972305.pdf
    • https://apps.4.1_r1
    • http://www.html
    • http://www..-an-otg-cable/
    • https://apkpure.0.balaji
    • https://www.bueller
    • http://cellphonetrackers.1
    • https://tinyurl
    • https://APKPure
    • http://www.0.aftvnews
    • https://apkpure
    • http://www.com/how-to-set-c
    • https://www.com/wake-lock-powerm..alt
    • https://APKMirror.com/how-to-conne
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00013bd7.bin
2e7c626cba774e296dd05d4fff2810fc4140f3636e18665ba44422b3a762328b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13BD7 9932 bytes
font_01_sfnt_off000160fc.bin
399f11620155943aebfe0b638afeaa358d88c62598a0557a7aec8f983decb33a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x160FC 4332 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.