Malicious PDF — malware analysis report

Static analysis result for SHA-256 0ee6e531a768c56b…

MALICIOUS

PDF

34.3 KB Created: 2020-04-14 15:17:11 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0795d58560d4d02863fcd1294e66e3a7 SHA-1: 89d12b0181b049b4b82ab7a9c88bf5bbc58e951a SHA-256: 0ee6e531a768c56b004b873bc2e693b28b6bd5f43a4dc58fb5b3b7cd2138a8ad
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, identified as a 'link farm', suggesting an attempt to direct users to malicious content. The document body, though partially corrupted, includes a URL that appears to be a lure for 'analytical aptitude test questions and answers'. The ML classifier strongly indicates maliciousness, and the presence of embedded URLs points towards a phishing or content-distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wehappyhair.com/uploads/1/3/1/4/131406092/131406092.html#analytical+aptitude+test+questions+and+answers+pdf
    • http://automatacoin.com/uploads/1/3/0/8/130814534/susisedofuwegibe.pdf
    • http://gau8n2.com/uploads/1/3/0/7/130775657/dezova.pdf
    • http://glittergaze.com/uploads/1/3/0/2/130289732/4486828.pdf
    • http://coachellascreenprinting.com/uploads/1/3/0/7/130740356/6314469.pdf
    • http://michigancabinetmakers.com/uploads/1/3/0/6/130640178/zojupegajaben.pdf
    • http://beatdowncards.com/uploads/1/3/1/4/131453540/3687832.pdf
    • http://olaliliana.com/uploads/1/3/0/5/130588503/lufij-xumokukima.pdf
    • http://frontiertech.shop/uploads/1/3/0/7/130739404/gumexalaraj.pdf
    • http://bestbargainsbuys.com/uploads/1/3/0/7/130776147/lugiwuf-dapelopurowuno-girurumode.pdf
    • http://bonnievig.com/uploads/1/3/0/7/130738507/pobeledosuvubami.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d22.bin
d8252fd474c9ba0e8d9c4bba2ab0cb472873120d7ce0f8b785284c0cc9b3d0af		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D22 8316 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.