Malicious PDF — malware analysis report

Static analysis result for SHA-256 091a04240dc305f8…

MALICIOUS

PDF

93.9 KB Created: 2020-04-28 16:52:42 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: caa9309bce92f726c7d614c31673f06b SHA-1: 26f1ac5bb19c0a051540392afec812a5b2f84893 SHA-256: 091a04240dc305f85b8607faf3f80e4be639baa823ac6de70e4d5db1f8909d90
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to PDF files with numeric slugs, indicating a potential link farm for SEO manipulation or to host malicious content. The ML classifier also flagged this PDF as malicious with high confidence. While no scripts were extracted, the presence of numerous external URLs suggests a phishing or content-luring attack vector.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9993

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://seafoodfestivalgiveaways.com/uploads/1/3/0/7/130776265/130776265.html#padasalai+12th+half+yearly+answer+key+2018
    • http://yourretc.com/uploads/1/3/1/3/131383936/4377760.pdf
    • http://fadausa.org/uploads/1/3/1/4/131406537/ligumitegikotas_pobigiru_pexepuk.pdf
    • http://bowbutterfly.com/uploads/1/3/1/3/131381717/e925190ec0d.pdf
    • http://apositivelight.org/uploads/1/3/0/9/130969065/b29d92.pdf
    • http://theflowdocumentary.com/uploads/1/3/0/7/130739173/2860762.pdf
    • http://klutchkickingkings.com/uploads/1/3/0/5/130590261/435490.pdf
    • http://akerboomfreesia.eu/uploads/1/3/0/6/130621944/fasepodolija.pdf
    • http://nataliekimballfitness.com/uploads/1/3/1/4/131454051/banomuvoru-biwebinu-zumipizarawera.pdf
    • http://sebelahrumah.net/uploads/1/3/0/2/130270912/75dde2575.pdf
    • http://mihmakeithappenconstruction.com/uploads/1/3/0/6/130621973/putimixedudolunokaw.pdf
    • http://a-7713.com/uploads/1/3/0/5/130551491/4368919.pdf
    • http://loyaltyscent.com/uploads/1/3/0/3/130313746/9394609.pdf
    • http://cbcwallace.com/uploads/1/3/0/7/130775912/dufofabagomute-kuvobiloxe.pdf
    • http://asieladesignsinc.com/uploads/1/3/0/5/130588394/22aa881466419.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e2fa.bin
71d8389df2213f002a0d5e94f39a6440eb3686cfd1eb1258271bce11681fcb0a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE2FA 18552 bytes
font_01_sfnt_off00011506.bin
0ea46bea9fd47803f2d57a84098c343c826a00f43cbb87b40b3f38ff3ff8de9b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11506 7996 bytes
font_02_sfnt_off0001342d.bin
2950d87d769d79d0d16faf16dcd761b2c0673d4bd237e761afb1007449cc6e80		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1342D 1852 bytes
font_03_sfnt_off00013d44.bin
6f8eff8310d1139e12f4d8d259ec0d0d6dad9a8c1c7ce75691f0761b36951fca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13D44 16372 bytes
font_04_sfnt_off0001535c.bin
637b29e269131d1701045e0a13035d59858b8a1bcae69d381c4b6c7b97da0fca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1535C 7368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.