Malicious PDF — malware analysis report

Static analysis result for SHA-256 0a6673f6e9ee083c…

MALICIOUS

PDF

59.4 KB Created: 2020-04-03 05:33:50 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: dbd8f4ae43471ec4a0545667e52f59e4 SHA-1: f28dc544200a4dc2c27e3aa11014380dfd5bb01e SHA-256: 0a6673f6e9ee083c44cef81eb2b623f1438c1e3d3b73d5385cae21bda02ed770
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded links, many of which are structured as SEO-optimized PDF gateways. The document body text, though partially corrupted, includes a lure for 'quiet movie free download' and references the wkhtmltopdf application, suggesting a deceptive lure to drive traffic to potentially malicious content. The ML classifier strongly flagged this PDF as malicious, indicating a high likelihood of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://marikacleaningservice.com/uploads/1/3/0/5/130590310/130590310.html#quiet+movie+free+download
    • http://midroguecert.com/uploads/1/3/0/5/130540286/wamasitorowawizex.pdf
    • http://balarqualitysystems.com/uploads/1/3/0/7/130739322/ruwemerogas.pdf
    • http://lettersfromjacque.com/uploads/1/3/0/5/130590550/gegigu_sanuxupunezovex_zilefenefokilel.pdf
    • http://mdprtnrs.com/uploads/1/3/0/5/130551162/51b16.pdf
    • http://ecocleanersorcasisland.com/uploads/1/3/0/6/130621392/zaxosesebumoxujesa.pdf
    • http://bradeaton.net/uploads/1/3/0/7/130775544/wiwofavigulu.pdf
    • http://bethelovefoundation.net/uploads/1/3/0/8/130874554/9c703a5d0db5.pdf
    • http://normandyoptical.biz/uploads/1/3/1/3/131398182/fovopidib-zamiwilajib.pdf
    • http://mercyinguyana.org/uploads/1/3/0/7/130775545/denaverumuv_wubotewed_muboxiseladiz_kawogagovisugad.pdf
    • http://darksidesilver.com/uploads/1/3/0/3/130313363/658497.pdf
    • http://www.bbchuxing.com/uploads/1/3/0/4/130436367/8926144.pdf
    • http://friendsoftoussaint.org/uploads/1/3/0/3/130313673/gofoxisa_xanisaned.pdf
    • http://barridolaw.com/uploads/1/3/0/6/130620209/xabasu-pevunuwil-motatutexesus-batedev.pdf
    • http://centralviewtechnologies.com/uploads/1/3/0/3/130313336/tagujoputebuzonas.pdf
    • http://onairwithdouglas.com/uploads/1/3/0/4/130478772/6726873.pdf
    • http://salonshibumi.com/uploads/1/3/0/6/130640088/83a4032b8ba1c.pdf
    • http://danlittleresume.com/uploads/1/3/0/2/130270768/8d217cf1332b.pdf
    • http://vs2global.com/uploads/1/3/0/2/130291699/fapufosen_doluperipor_jatemif_tenuzigizuda.pdf
    • http://psychologenpraktijk-helder.com/uploads/1/3/0/3/130323585/eb7bc.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007d87.bin
08a5200c724824171a1ca6c072aa5ff2681cf26af651cf1e3b97d8563209df2d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7D87 6836 bytes
font_01_sfnt_off00008e80.bin
e05deb7944e89d3b794ae3e05065db0a72036c000b1744e94adbcc88a495edb2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8E80 9636 bytes
font_02_sfnt_off0000b20a.bin
03d94dafe85f1817def8cb4176ff2e6ec75ae7c5297a9b415b5311a275d33c38		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB20A 2796 bytes
font_03_sfnt_off0000bbee.bin
908225b63e1717ce4d9443c39e5e0249165423a6f1725031e285b2c0c3b49b5f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBBEE 2148 bytes
font_04_sfnt_off0000c5d4.bin
5b0799c45204aa059b9f98fed62064b8dbdb1a9286ac2f5f8db5a338179010e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC5D4 16776 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.