Malicious PDF — malware analysis report

Static analysis result for SHA-256 0dff50330b1a3afc…

MALICIOUS

PDF

44.8 KB Created: 2020-04-17 21:42:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: d302dd989bdf2117bc131280f76bdc88 SHA-1: 6616cbb880cea79a9f5170057addbee9feaa941b SHA-256: 0dff50330b1a3afc5ff08a745a7205f8408a815fd7579137a9e3eb73f63236dd
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous embedded links, forming a link farm, with one prominent link suggesting a download for 'Teatv apk for smart tv'. The ML classifier strongly flagged this PDF as malicious, and the presence of many external URLs indicates an attempt to redirect the user to potentially harmful content. No scripts were extracted, but the overall structure and heuristic firings suggest a malicious lure.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://vesblog.com/uploads/1/3/1/0/131070010/131070010.html#teatv+apk++for+smart+tv
    • http://stephenjernigan.com/uploads/1/3/0/6/130604133/441c1d4eb766e.pdf
    • http://evosys.services/uploads/1/3/1/1/131164054/1312161.pdf
    • http://alluredollhouse.com/uploads/1/3/1/4/131438481/3347445.pdf
    • http://stoneycreekalabama.com/uploads/1/3/1/0/131070612/dcf7813.pdf
    • http://mdcspa.com/uploads/1/3/0/5/130540146/f48deb1.pdf
    • http://oaklandsacademy.net/uploads/1/3/0/3/130323707/2275152.pdf
    • http://lhsgaelic.com/uploads/1/3/1/4/131482907/1e3a63.pdf
    • http://susanarleneschmittart.com/uploads/1/3/1/1/131164375/votog_tajokoje_zizuxadi.pdf
    • http://austin5iorg.org/uploads/1/3/0/6/130639928/6105178.pdf
    • http://maw-maws.com/uploads/1/3/0/6/130604666/bosowemut.pdf
    • http://ocbpropertyinspections.com/uploads/1/3/0/6/130639227/pofevif.pdf
    • http://patriot5star.com/uploads/1/3/0/7/130775361/55fe0de6c9765.pdf
    • http://rspwellness.com/uploads/1/3/1/3/131383404/wemaxavor-xifajoxun.pdf
    • http://upstarrpactreasurehunt.com/uploads/1/3/1/0/131071082/tilelav.pdf
    • http://fwclifestyle.com/uploads/1/3/0/5/130551198/2699675.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000087b9.bin
d413f22493198d51ab66e725e5d99ad9303a0acbca46a25212e8483f2904dad7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x87B9 8124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.