Malicious PDF — malware analysis report

Static analysis result for SHA-256 072198bc6ffe840d…

MALICIOUS

PDF

35.8 KB Created: 2020-04-05 08:41:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0646fc04e35d58596853666a743fa9c6 SHA-1: a41e3e0993db60dcad36b611eb369c1bc9229e43 SHA-256: 072198bc6ffe840d6e741a976d9b79d1b5b1a5a97387484560f4623df704c267
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm. While no scripts were explicitly extracted, the presence of embedded URLs and the ML classifier's high confidence score suggest malicious intent, likely related to SEO manipulation or redirecting users to potentially harmful content. The document body itself is heavily obfuscated and contains some of the URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://datacademy.us/uploads/1/3/0/8/130874289/130874289.html#fender+hot+rod+deluxe+review+harmony+central
    • http://lifetravelsllc.com/uploads/1/3/0/7/130738576/zoporareputixe.pdf
    • http://allthingsparsons.org/uploads/1/3/0/9/130969209/sajonaximegel.pdf
    • http://katerladesign.com/uploads/1/3/0/6/130639115/04d5154.pdf
    • http://anniesditta.com/uploads/1/3/1/3/131380850/fofiletu.pdf
    • http://mingaretreatcenter.org/uploads/1/3/0/5/130539072/d6db5a8e858df.pdf
    • http://cozycreekrealty.com/uploads/1/3/0/6/130603977/wubijonubu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006357.bin
18773ed13f4c218b7216820ad32e208ba0574ce19e964ed5c120a3c793072684		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6357 8104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.