Malicious PDF — malware analysis report

Static analysis result for SHA-256 089325468264e38d…

MALICIOUS

PDF

53.0 KB Created: 2020-04-20 03:15:24 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 00f7f2b238c04e5afe1ba9fdee872b1d SHA-1: 08abf2d94c266f5765ec13267854779a37440080 SHA-256: 089325468264e38d2b7d9944a75a46ebb321d3907a35b0f4d33a4188ae86fd13
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, identified as a link farm, suggesting a deceptive purpose such as SEO manipulation or hosting malicious content. The heuristic 'SE_LOLBIN_RUN_COMMAND' also indicates the presence of a command-line token within the document text, potentially for executing further actions. While no scripts were explicitly extracted, the overall structure and the presence of numerous external URLs point towards a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://delseronline.com/uploads/1/3/1/4/131454383/131454383.html#piano+sheet+music+happier+ed+sheeran
    • http://caniborrowthat.net/uploads/1/3/0/6/130620590/sezimitugon_jomokifopavor_vamekinavij.pdf
    • http://luciabenjamin.com/uploads/1/3/1/3/131382406/rixokupurex.pdf
    • http://alphagroup.consulting/uploads/1/3/0/6/130640040/7642400.pdf
    • http://cindygoetz.com/uploads/1/3/0/8/130814830/4003503.pdf
    • http://sweetsonsticks.com/uploads/1/3/0/6/130621179/wonavolodig.pdf
    • http://tristystreats.com/uploads/1/3/1/0/131070535/2334738.pdf
    • http://eclipsefest2017.com/uploads/1/3/0/6/130621845/dazewopifoguraxeraxe.pdf
    • http://hightagcontractors.com/uploads/1/3/0/7/130740521/4966725.pdf
    • https://musescore.jpg@150x150?cache=1483949099
    • https://musescore.png?no-cache=1579178478
    • https://musescore.williamjacket.png?no-cache=1579247696
    • https://musescore.jpg?cache=0
    • https://musescore.png@500x660?no-cache=1579179881&bgclr=ffffff
    • https://musescore.png@500x660?no-
    • https://musescore.youtube.jpg@150x150?cache=1534296330
    • https://youtu.com/static/musescore/userdata/avatar/default.be/5-RfTj_IUQ8
    • https://musescore.jpg
    • https://musescore.jpg@150x150?cache=1492438529
    • https://musescore.com%2Fuser%2F15592236%2Fscores%2F3733561
    • https://musescore
    • https://musescore.png@500x660?no-cache=1579180163&bgclr=ffffff
    • https://musescore.com%2Fuser%2F3435661%2Fscores%2F3592421
    • https://musescore.com%2Fuser%2F22850176%2Fscores%2F4480416
    • https://musescore.png@180x252?no-cache=1579179881&bgclr=ffffff
    • https://musescore.png@300x420?no-cache=1579247696&bgclr=ffffff
    • https://musescore.png@180x252?no-
    • https://musescore.png?no-cache=1574240077
    • https://musescore.png@300x420?no-
    • https://musescore.png@500x660?no-cache=1579177265&bgclr=ffffff
    • https://www.png@500x660?no-
    • https://musescore.png@180x252?no-cache=1579177265&bgclr=ffffff
    • https://musescore.png@180x252?no-cache=1579179542&bgclr=ffffff
    • https://musescore.png@180x252?no-cache=1579178478&bgclr=ffffff
    • https://musescore.png?no-cache=1579179881
    • https://musescore.jpg?cache=1532812136
    • https://musescore.All
    • https://musescore.com%2Fuser%2F18938226%2Fscores%2F4651056
    • https://musescore.png@300x420?no-cache=1579177265&bgclr=ffffff
    • https://musescore.jpg@150x150?cache=0
    • https://musescore.png@500x660?no-cache=1574240077&bgclr=ffffff
    • https://musescore.png@500x660?no-cache=1579247696&bgclr=ffffff
    • https://musescore.com%2Fuser%2F25684296%2Fscores%2F4634731
    • https://musescore.png?no-cache=1579180163
    • https://musescore.png@300x420?no-cache=1579179542&bgclr=ffffff
    • https://musescore.jpg?cache=1554271839
    • https://musescore.png@300x420?no-cache=1574240077&bgclr=ffffff
    • https://musescore.jpg@150x150?cache=1532020519
    • https://musescore.item-list:last-child
    • https://musescore.jpg@150x150
    +81 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a520.bin
34f5921abe9d968432e96391a4230b37bdf389c77bf894280d97d81820fe19cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA520 9400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.