Malicious PDF — malware analysis report

Static analysis result for SHA-256 13c511d1771fc57d…

MALICIOUS

PDF

36.7 KB Created: 2020-04-06 13:16:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7f49e7aac4ed171554ba9579d36abec4 SHA-1: d19b04d03b53591d5a36d25a74706e52a94b5b67 SHA-256: 13c511d1771fc57d2de34ae56a22e3d3d30237b7fd8d43fc4c9c9c38d7e72cda
144 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF document contains multiple external links, many of which point to PDF files hosted on various domains, suggesting a link farm or redirection mechanism. The document also explicitly instructs the user to disable security software, a strong indicator of malicious intent. The presence of embedded URLs and the ML classifier's high confidence score further support a malicious classification. The document's structure and content suggest it is designed to trick users into downloading potentially harmful files.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Security software disable instruction high SE_SECURITY_BYPASS
    Document instructs the user to disable antivirus or security software — unusual for ordinary documents and high-risk in an unsolicited file
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://digitalbaseltd.org/uploads/1/3/1/3/131379168/131379168.html#download+removewat+windows+7+64+bit
    • http://jossiomi.com/uploads/1/3/1/1/131164538/wozegotapokarib-sefot.pdf
    • http://minkacademy.com/uploads/1/3/0/3/130379711/namebegug-zulovunat.pdf
    • http://nsepulveda.com/uploads/1/3/0/6/130639395/7cd23fa3686e22d.pdf
    • http://soffice.info/uploads/1/3/0/2/130272420/motifigi.pdf
    • http://real-woods.com/uploads/1/3/1/0/131070458/tinutixuxubop.pdf
    • http://americanbrickandlandscape.com/uploads/1/3/0/7/130739278/jafepuvewozetix-xoweno-gimepure-jokagipiragusu.pdf
    • http://www.tarisolutions.com/uploads/1/3/0/9/130970009/c9f89669e3c19.pdf
    • http://3800-3828hawthorn.com/uploads/1/3/0/7/130776043/8903167.pdf
    • http://yeswithjohnwilson.com/uploads/1/3/0/6/130620547/0489b7ae.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065a1.bin
e9e707a5381c337124766bfdb3b5ad25d716b4d1170887632b06ddd4eed13819		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65A1 8016 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.