Malicious PDF — malware analysis report

Static analysis result for SHA-256 1147ce59e5903160…

MALICIOUS

PDF

36.7 KB Created: 2020-06-09 02:28:26 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 40a449a228f5a27850e425bf534ac828 SHA-1: 2ef4bfc0f4aa2532e5bc31ba9baa2e01d6d0ec5d SHA-256: 1147ce59e590316087fe5ba0a99e9b16fa26c4632be60aa7b6f5287ddf534b0d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded links to external websites, many of which are structured as PDF files with numeric slugs, suggesting a link farm or SEO abuse for malicious purposes. The document body, though heavily obfuscated, contains text that appears to be a lure related to 'concession'. The ML classifier strongly indicated maliciousness, and the presence of many unknown reputation URLs supports this. No scripts were extracted, but the PDF structure itself is used to host and link to malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://motacann.net/uploads/1/3/0/8/130874633/130874633.html#compl%25C3%25A9ment+circonstanciel+de+concession
    • http://famousemagazine.com/uploads/1/3/1/4/131482882/d655b693d42769.pdf
    • http://goodgerpinkproductions.com/uploads/1/3/0/3/130324152/mawozefuxesegomix.pdf
    • http://mx.loukief.com/uploads/1/3/0/8/130814298/8979029.pdf
    • http://onlineassist.net.au/uploads/1/3/0/7/130739712/levixiz-tojovarof-febepune.pdf
    • http://staceyandscott.net/uploads/1/3/1/4/131483468/34be8.pdf
    • http://akasha.co.uk/uploads/1/3/0/5/130589366/ff3260925e.pdf
    • http://hughfleming.net/uploads/1/3/1/3/131398378/sigegenatozibamato.pdf
    • http://1r5.undesirable.us/uploads/1/3/1/3/131381376/2524811.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://duzawexosusa.files.wordpress.com/2020/06/zorif.pdf
    • https://jovutababu.files.wordpress.com/2020/06/202500964.pdf
    • https://vixemore.files.wordpress.com/2020/06/gawopujefuxidu.pdf
    • https://susudamasot.files.wordpress.com/2020/06/62162243954.pdf
    • https://zosifasagul146255057.files.wordpress.com/2020/06/numas.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eaf.bin
9fe759c60bb2576c10175263772bf9f2d62bebd13709a8893d165d7ebae399eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EAF 12052 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.