Malicious PDF — malware analysis report

Static analysis result for SHA-256 09238826075bb5e2…

MALICIOUS

PDF

82.9 KB Created: 2020-06-20 10:28:03 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b42d9f40467604d6a9ac2ccdf8c1fb11 SHA-1: 1872a57f9b3221b093d8e140d0390f82451e31de SHA-256: 09238826075bb5e2496cfa1b2437a381b95e582dff9a4051beb632a57eeae41c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document is identified as malicious by an ML classifier and contains a large number of external links, suggesting a link farm or SEO manipulation tactic. While no scripts were explicitly extracted, the presence of embedded URLs and the PDF structure itself indicates potential for malicious redirection or content delivery. The document's content is presented as a service manual, likely a lure to disguise its true purpose.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://houseforsalellc.com/uploads/1/3/2/6/132696146/132696146.html#honda+super+cub+110+service+manual
    • http://apicconference.ca/uploads/1/3/0/6/130639084/7763897.pdf
    • http://autodiscover.eoin-odowd.com/uploads/1/3/0/4/130476751/puzorikefivoga-xusok-kiram-domiwasig.pdf
    • http://regenerationaction.com/uploads/1/3/1/3/131384402/ee5e8b33b450.pdf
    • http://jewishfoshan.com/uploads/1/3/0/8/130874497/nabonevenopijigo.pdf
    • http://tallysmotors.com/uploads/1/3/0/2/130272613/7969086.pdf
    • http://artofearthlinks.org/uploads/1/3/0/7/130776680/b64a65379e0.pdf
    • http://meghannlaitherapy.com/uploads/1/3/0/2/130270985/gotejevetufetax_wafutatinuvuxas_lutod_xasos.pdf
    • http://123klart.se/uploads/1/3/0/5/130588272/zewomomapesu.pdf
    • http://weenlightenment.com/uploads/1/3/0/3/130313612/3659456.pdf
    • http://kailaswanson.com/uploads/1/3/0/6/130604498/vipufaj.pdf
    • http://hostmaster.janetssheargenius.com/uploads/1/3/1/3/131380065/nixinufixavive.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001023f.bin
319b20f80e2dc510b748233accd658304ec7c46325907aab7679b63e1e978094		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1023F 5376 bytes
font_01_sfnt_off00011461.bin
d2704d6f78c11c510170b696fdc979e2906dc0d27221c9b1428c59152732fb00		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11461 13040 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.