Malicious PDF — malware analysis report

Static analysis result for SHA-256 112b532ce99775ad…

MALICIOUS

PDF

34.0 KB Created: 2020-06-02 06:07:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: af3645e2ae11c3f6dcb21a916609da75 SHA-1: 5fe8f14d7019a5cfab1b90aa0ccb8ef3d701ffa1 SHA-256: 112b532ce99775ad95271ff6e0be61da51d4d13268b794582de1ca26c5eb44b7
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The primary link, http://dedic-11-surveilance.pleasingfood.com/uploads/1/3/1/8/131856402/131856402.html#dentista+siena+pacciani, suggests a lure to a potentially malicious page. The ML classifier also strongly indicated maliciousness. The document body itself is heavily obfuscated and contains many of these links, reinforcing the link farm and potential SEO spam or malicious redirection attack pattern.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dedic-11-surveilance.pleasingfood.com/uploads/1/3/1/8/131856402/131856402.html#dentista+siena+pacciani
    • http://314printhouse.com/uploads/1/3/0/6/130605254/be7514aa4.pdf
    • http://sparkmechanical.com/uploads/1/3/1/3/131384777/nilaredepadimiwa.pdf
    • http://leatheriphonejournal.com/uploads/1/3/1/4/131409009/8858041.pdf
    • http://ethostax.com/uploads/1/3/0/2/130289508/2869074.pdf
    • http://pinebeachhomeowners.com/uploads/1/3/1/4/131453456/minubijo-geruzutujud.pdf
    • http://dedic-11-surveilance.pleasingfood.com/uploads/1/3/1/8/131856402/terms.html
    • http://dedic-11-surveilance.pleasingfood.com/uploads/1/3/1/8/131856402/dmca.html
    • http://dedic-11-surveilance.pleasingfood.com/uploads/1/3/1/8/131856402/policy.html
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://vutokavajino.files.wordpress.com/2020/05/38189023986.pdf
    • https://kovimaj.files.wordpress.com/2020/06/53753881365.pdf
    • https://vurizuzuni.files.wordpress.com/2020/05/dumob.pdf
    • https://mamonuno.files.wordpress.com/2020/06/tefutevarunepetupizu.pdf
    • https://lakuvipejuz106751964.files.wordpress.com/2020/06/56350922369.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005927.bin
b2a504c10c757203575be8db4e2fc8032a29dff036a2f58d8498dfaee5f2d1a8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5927 10972 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.