Malicious PDF — malware analysis report

Static analysis result for SHA-256 0e7af527f1504cc9…

MALICIOUS

PDF

36.8 KB Created: 2020-04-08 09:40:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a4842d1f19a86fe18a1aa0ecfeba46fa SHA-1: 9fed959479567b1c4f284bdcc58d4839692909b7 SHA-256: 0e7af527f1504cc9d1e7966df45e869bafe922dbf7b8f716fc655f25905a16a6
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The document is identified as malicious by an ML classifier and exhibits characteristics of an advance-fee scam, using an immigration form lure. It contains a large number of external links, many of which point to PDF files hosted on similar domains, suggesting a link farm designed to obscure the true malicious intent. The primary IOCs are the numerous URLs embedded within the document, which likely lead to further malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Advance-fee lottery/parcel scam lure high SE_ADVANCE_FEE_SCAM_LURE
    Document contains lottery/beneficiary or prize language together with large-value draft/funds wording and parcel/courier delivery requirements. This is a classic advance-fee fraud document shape.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://happytechscore.com/uploads/1/3/1/0/131070521/131070521.html#immigration+and+naturalization+form+i-765
    • http://centerforembodiement.com/uploads/1/3/0/6/130639511/5395192.pdf
    • http://paperowlpress.com/uploads/1/3/0/2/130289736/xepijakefudujun.pdf
    • http://724detailing.com/uploads/1/3/0/4/130476310/pepizav_kenojosu_fogowowuba.pdf
    • http://visitwhc.com/uploads/1/3/0/4/130483794/6606332.pdf
    • http://laurenalessa.com/uploads/1/3/0/3/130324158/loxoxepevul_tisuwozisas.pdf
    • http://saltysweetadventures.com/uploads/1/3/0/6/130621393/4766657.pdf
    • http://pilatesbrienzseestark.com/uploads/1/3/0/2/130287279/tugufawabek.pdf
    • http://tweenulvijf.nl/uploads/1/3/0/6/130604449/tevemal.pdf
    • http://jwcleaningsolutions.org/uploads/1/3/0/5/130590594/zikolibopuse-sigetixojuk.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067e2.bin
f54ebe6e5f14435fa90624ecd41a3b102b698293485497542c012b8c04612517		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67E2 8024 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.