Malicious PDF — malware analysis report

Static analysis result for SHA-256 06257dfdb5c8de79…

MALICIOUS

PDF

39.8 KB Created: 2020-05-30 17:00:11 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0101aab68fe280c329938830402701cf SHA-1: b9a270f862596ecc1fce6b82ed341947525f1f81 SHA-256: 06257dfdb5c8de7914bcee93e94ff6b424408bf9ca6c0bbe89a010bf207ca7f2
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a significant number of external links, identified as a link farm, suggesting a tactic to drive traffic to potentially malicious sites. The document body, though heavily obfuscated, contains URLs that are also present in the heuristic findings. No scripts were extracted, but the presence of numerous external links and the ML classifier's high confidence indicate a malicious intent, likely related to SEO manipulation or hosting further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9940

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://harrisonrappaport.com/uploads/1/3/1/3/131382346/131382346.html#minecraft+1.7+10+silah+mod+9minecraf
    • http://positiveimpactcenter.org/uploads/1/3/0/3/130323392/devowuw.pdf
    • http://sarahfebrescordero.com/uploads/1/3/0/5/130544191/f8ffc9.pdf
    • http://westseattletherapists.com/uploads/1/3/1/3/131398416/gajowajivudu.pdf
    • http://smarthomesbrisbane.com/uploads/1/3/1/4/131408245/sagesanisutasi.pdf
    • http://sonyakrakoff.com/uploads/1/3/1/4/131453494/9310e78a05b83.pdf
    • http://tokyoiidaoffice.com/uploads/1/3/0/7/130776177/600093.pdf
    • http://vildtgaarden.com/uploads/1/3/0/6/130604771/zulafime_muparirupapo.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005bb9.bin
3de810e92bf86fc087764645933b7530d8ca8ef9310ce87596eb1f82762eb5e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5BB9 10456 bytes
font_01_sfnt_off00007fa3.bin
f7fb55aa7df24da556f1e6a14ff3e973b5c7274e6851c040e899454d18355684		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7FA3 16064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.