Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e5bacb1edcd4b4b…

MALICIOUS

PDF

45.0 KB Created: 2020-04-21 14:27:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 30e1faf2faa935065d4767fec2faace7 SHA-1: a463377f9084db71858d59834a4f7b86d97329a3 SHA-256: 0e5bacb1edcd4b4b5c7fa050f24971b265c820f5f208809778eb0360eabdd9cd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document exhibits characteristics of a link farm or SEO spam, embedding numerous external links to other PDF files and an HTML page. The document body, though heavily obfuscated, contains a URL that appears to be part of this scheme. The ML classifier strongly indicated maliciousness, and the heuristic firings suggest a deliberate attempt to manipulate search engine results or redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://meshayla.com/uploads/1/3/0/8/130814430/130814430.html#holland+lop+kit+color+guide
    • http://delanielphotos.com/uploads/1/3/0/4/130483939/5047537.pdf
    • http://aninspiringcompany.com/uploads/1/3/0/5/130588757/nadefewilekikofu.pdf
    • http://9f60dmh010.com/uploads/1/3/0/2/130287932/2214451.pdf
    • http://keystoneconcealment.com/uploads/1/3/0/7/130739824/8cf4007fa9f.pdf
    • http://jlbservicesolutions.com/uploads/1/3/0/6/130621732/7480707.pdf
    • http://icecreamfundaes.com/uploads/1/3/0/6/130604910/1f2d5.pdf
    • http://truthaboutbellinghambaptistchurch.org/uploads/1/3/0/6/130640015/3754128.pdf
    • http://satinandromance.com/uploads/1/3/1/3/131383514/1bf002fe41.pdf
    • http://queen-bling-jewelry.com/uploads/1/3/0/6/130639083/lazoxip_xelagezifuk_tukiwapew.pdf
    • http://mxhype.com/uploads/1/3/0/5/130588280/4647633.pdf
    • http://rosshousemuseum.ca/uploads/1/3/0/7/130775103/suzaziferoni.pdf
    • http://lindseymariellc.com/uploads/1/3/0/6/130604525/maxafilu-gibirazunoniv.pdf
    • http://giselabell.com/uploads/1/3/0/7/130776264/a8bfa50e981c4b5.pdf
    • http://homeautomationlittlerock.com/uploads/1/3/1/4/131453753/7cc725dde.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008965.bin
4419969b67288f12d93883f7365a839b1af2d8d0eb7ca3b12fcc0b1327d3c849		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8965 7836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.