Malicious PDF — malware analysis report

Static analysis result for SHA-256 04c2d3eb9d13a096…

MALICIOUS

PDF

40.3 KB Created: 2020-06-17 23:19:59 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f2485e597a24e231eff3f09b5b03d603 SHA-1: 40453e2ac5a33bec839fe6f2bd3acb737eb63f1d SHA-256: 04c2d3eb9d13a0969f4a06b8b16e4ea9b9841aacde7b93ea6ad6ad16c17f7a3a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links likely serve to direct users to malicious websites or to manipulate search engine rankings. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the sheer volume of outbound links suggests a content-luring or SEO-based attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shikuangzuqiu2013buding.br3h.com/uploads/1/3/0/9/130969089/130969089.html#mitsubishi+s4s+engine+manual
    • http://baystategalvanizing.com/uploads/1/3/0/4/130436182/tapimukejeli-nereji.pdf
    • http://nourishnation.co/uploads/1/3/0/6/130621952/kajijona_pubamudogi_nozup.pdf
    • http://inspiration-in.com/uploads/1/3/1/4/131438427/zumitejafufux_genexo_fokenajev.pdf
    • http://cosmicillustration.com/uploads/1/3/0/5/130589140/kefovofekev_mafiropukewije_padabofosezili_jorok.pdf
    • http://heiusa.net/uploads/1/3/0/8/130814769/dagikibovajomo.pdf
    • http://kellysgardeningservices.com.au/uploads/1/3/0/6/130605387/neradiragovareg.pdf
    • http://hostmaster.amyspetsitting.co.uk/uploads/1/3/0/9/130968912/maxonepodez.pdf
    • http://entretenimiento.ieselpicarral.com/uploads/1/3/1/4/131453945/foxabobomaworog.pdf
    • http://subrosapermanentcosmetics.com/uploads/1/3/0/5/130589137/7238552.pdf
    • http://local9109.org/uploads/1/3/0/7/130776499/72081fcb.pdf
    • http://cultivateworldliteracy.com/uploads/1/3/1/0/131070006/d3cfe4a1b2ef7b.pdf
    • http://sportsandfitnesssolutions.com/uploads/1/3/0/4/130488446/bfdf0e54aad1a5.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006095.bin
86978fb12004a3495d7082b7224814cc3d55bc19c1cc1c3978914d629fb38064		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6095 5008 bytes
font_01_sfnt_off0000716e.bin
177fcec94e1e886b5814a30507e1e7a0ad53665cd67136321d298aedd85fb3e9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x716E 10436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.