Malicious PDF — malware analysis report

Static analysis result for SHA-256 0efa6f24073a4cf1…

MALICIOUS

PDF

44.1 KB Created: 2020-04-05 07:50:26 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 689bc0294ba58d30f7549bd12e59d684 SHA-1: ab7ac97ee260d97bbdad30ba552e671e3956477c SHA-256: 0efa6f24073a4cf1cf14b3a081e614b81980662222412db3d3d9ef76b22d8fb4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially obfuscated, includes text related to educational problems and mentions the authoring application, suggesting a deceptive lure. The primary function appears to be directing users to a network of linked documents, likely for SEO manipulation or to serve as a distribution point for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ecgcore.com/uploads/1/3/0/5/130542870/130542870.html#problemas+de+sumas+de+tres+cifras+para+segundo+grado
    • http://pagencajun.com/uploads/1/3/0/2/130271019/5435173.pdf
    • http://positionzero.com/uploads/1/3/0/8/130874674/4503361.pdf
    • http://robertsichinga.com/uploads/1/3/0/5/130588517/nojetiterikupapimuto.pdf
    • http://risingskyproductions.com/uploads/1/3/0/2/130289237/8ce12249d.pdf
    • http://mhcsutherland.com/uploads/1/3/0/5/130589342/kevikusigamepe.pdf
    • http://billaclaim.com/uploads/1/3/0/2/130287533/xukazufudumarez.pdf
    • http://thequeensofheart.love/uploads/1/3/1/3/131398164/8366593.pdf
    • http://letslie.com/uploads/1/3/0/6/130604631/tasatunu.pdf
    • http://helpsaveourhistory.com/uploads/1/3/0/5/130589322/nifumekoxufidixo.pdf
    • http://sharewellandprosper.com/uploads/1/3/0/5/130588622/lexuxisowe.pdf
    • http://bikramyogaoswego.com/uploads/1/3/0/6/130639698/c641e383da02c24.pdf
    • http://gobigplaybig.com/uploads/1/3/0/4/130477131/1231e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006b9d.bin
370164a4984ea24744af2a6132b516bbfaeb7b059adecfa0e0d389d80c49ad4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6B9D 8964 bytes
font_01_sfnt_off00008c41.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8C41 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.