Malicious PDF — malware analysis report

Static analysis result for SHA-256 085aeb6505ba93b1…

MALICIOUS

PDF

41.6 KB Created: 2020-06-20 01:46:34 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3d000ccb976deeb19f0ee9a2c8bfbb52 SHA-1: cc25b62a53af97b6900d29693dc09da0340a1e1b SHA-256: 085aeb6505ba93b18a008378371aa9a16f7f4a8a4731ee2a3024746d2d839ee1
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document is identified as malicious by an ML classifier and contains a large number of external links, indicative of a link farm or SEO spam tactic. The document body, while appearing to be about 'Beginners guide to java game programming', contains numerous URLs pointing to other PDF files on various domains. This suggests the primary purpose is to redirect users to potentially malicious content or to manipulate search engine rankings.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://stjohns90.org.uk/uploads/1/3/1/8/131857791/131857791.html#beginners+guide+to+java+game+programming
    • http://getleadstoday.net/uploads/1/3/0/9/130969816/xijusixan.pdf
    • http://michellemarabella.net/uploads/1/3/0/3/130313176/c327bd7ca76a1.pdf
    • http://mail.nmctkd.com/uploads/1/3/0/8/130874046/navakima.pdf
    • http://mail.peakposse.com/uploads/1/3/0/4/130483385/zamokesetevebu.pdf
    • http://hostmaster.whitstablefringe.co.uk/uploads/1/3/1/4/131409574/09f1c4.pdf
    • http://shawngraphic.com/uploads/1/3/0/8/130813652/julazavaliv.pdf
    • http://mail2.tpicorp.com/uploads/1/3/0/6/130603905/bekene_tatirolibikob_pepewusubavojux_pezuvuwopub.pdf
    • http://hostmaster.kidwellybowls.com/uploads/1/3/0/6/130604312/9234830.pdf
    • http://toyguyomaha.com/uploads/1/3/0/4/130483863/f187324ea854.pdf
    • http://vallartaweddingrentals.com/uploads/1/3/1/8/131856669/abdeb85e3f.pdf
    • http://easymacsupport.com/uploads/1/2/9/0/129099120/129099120.html?solidworks
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062ea.bin
56eabdd2327fa6412cd04ccccc02377f001f16e3af97cbf48d751a94ffeaf27a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62EA 5316 bytes
font_01_sfnt_off000074ee.bin
81a2e21e37e49e831a6eeb92dad408033c4eeacf18d8d44e642890a31560bceb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x74EE 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.