Malicious PDF — malware analysis report

Static analysis result for SHA-256 1409efd12aa4e296…

MALICIOUS

PDF

63.6 KB Created: 2020-04-15 03:29:57 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 25b87e5f8428a7092934c7a51c6cce52 SHA-1: 80272c4bba19cb4d68084473a8cc9a74ff76355c SHA-256: 1409efd12aa4e296fe4f208b1e6ef20749f4776a6c3d7cf35718a117fd716d94
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains numerous external links, a common tactic for SEO poisoning and phishing. The 'MFA / one-time-code harvesting lure' heuristic indicates the document is designed to trick users into providing sensitive authentication information. The embedded URLs likely lead to pages attempting to steal credentials or session tokens.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9684

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • MFA / one-time-code harvesting lure high SE_MFA_LURE
    Document asks for a one-time code, authenticator approval, or MFA confirmation — consistent with credential phishing kits that steal session tokens or abuse multi-factor authentication
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://beaverdamchurchonline.org/uploads/1/3/0/3/130379377/130379377.html#bir+form+2307+pdf+template
    • http://semboards.com/uploads/1/3/0/3/130323599/16284d38aa2f.pdf
    • http://tomleevideos.com/uploads/1/3/0/6/130639444/tupejirezuti.pdf
    • http://youarenotalone-yana.com/uploads/1/3/0/7/130739904/pupusutejuwogusumo.pdf
    • http://sm-eb.de/uploads/1/3/0/5/130551518/2274075.pdf
    • http://trevidium.com/uploads/1/3/1/4/131437725/8421324.pdf
    • http://fedorahosted.org/lohit
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000a049.bin
1a4e4c462a33f8756ac2942f766785c29b5c96a4277a25173388ee0c74a751d3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA049 8972 bytes
font_01_sfnt_off0000c252.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC252 1388 bytes
font_02_sfnt_off0000c9b8.bin
6c4803abc74b37f399dd46c30ce47626d9b1aae6931d195e388b24b78cc0ed80		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9B8 14176 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.