Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ee4ee59299b1af2…

MALICIOUS

PDF

37.7 KB Created: 2020-03-26 12:23:17 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 39bb8d39941c01ec2d58d81bc6f9b8c9 SHA-1: ade28de8a01a87dfaa258a546f87ee1c83d84375 SHA-256: 0ee4ee59299b1af2c82ceec13018c41fc22191ffcfb68b10884e1613d27dc10e
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of external links, many of which point to other PDF files hosted on various websites. This behavior is indicative of a link farm or a mechanism to redirect users to potentially malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • PDF link to algorithmically-generated URL high PDF_RANDOM_URL_LINK
    PDF contains a clickable HTTP(S) link whose host looks algorithmically generated (pronounceable-random labels) and whose path/query carries a long high-entropy token. This is the randomized-redirector pattern of malspam phishing lures — the visible document is only a prompt — not a PDF parser vulnerability.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kcbevco.com/uploads/1/3/1/4/131406036/131406036.html#tmea+all+state+etudes+pdf
    • http://www.yogawithellie.com/uploads/1/3/0/4/130489253/690d1.pdf
    • http://southernsweetts.com/uploads/1/3/0/7/130776316/1f414.pdf
    • http://jeffcarterproductions.com/uploads/1/3/0/2/130272610/4105396.pdf
    • http://preferredconsultinggroup.com/uploads/1/3/0/4/130490277/6329329.pdf
    • http://woeblindbirds.com/uploads/1/3/0/5/130588603/082db9e163bea.pdf
    • http://thegraphitestore.shop/uploads/1/3/0/6/130604564/626297128e704f2.pdf
    • http://www.truelifepractice.com/uploads/1/3/0/7/130775242/nusedikim.pdf
    • http://www.davescustomcars.com/uploads/1/3/0/6/130621959/tevusonidurifi-zuzawanemejaba-sosaxiw-nixefukumesabe.pdf
    • http://colegiodoloresmancilladeflores.com/uploads/1/3/0/9/130969762/4b746d8.pdf
    • http://casadecampooceanfrontvilla.com/uploads/1/3/0/2/130289227/6618901.pdf
    • http://v2leadership.com/uploads/1/3/0/6/130639622/7997722.pdf
    • http://gracefuldiva.com/uploads/1/3/0/6/130620760/zaxov.pdf
    • http://whonj.org/uploads/1/3/0/5/130539517/2208574.pdf
    • http://doublemconstructionllc.org/uploads/1/3/0/5/130540280/8121e4dbaaa3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006897.bin
1fdee631505c9be39c765450a9f1b871e1f5a752e310c9798ccde51ad5a109ad		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6897 8596 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.