Malicious PDF — malware analysis report

Static analysis result for SHA-256 146548d23116690e…

MALICIOUS

PDF

37.7 KB Created: 2020-04-08 09:46:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0f8d08de09d8a7e35ab330885b8de4e1 SHA-1: 24a7042fd86003778fc8b78ed2c916868e946cca SHA-256: 146548d23116690e4ea94e2f1c16d76baa3d998a6ac571bf607719cb8838bf2d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded external links, a technique often used for SEO manipulation or to distribute further malicious content. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. While no scripts were directly extracted, the embedded URLs are the primary indicators of malicious intent, likely serving as a distribution mechanism for other threats.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rfwhilephotos.com/uploads/1/3/0/4/130436439/130436439.html#chocolate+miniature+dachshund+puppies+for+sale+uk
    • http://567tech.com/uploads/1/3/0/4/130436226/9523338.pdf
    • http://tbodyworks.com/uploads/1/3/0/4/130478360/9564503.pdf
    • http://7stepstogettingoutofdebt.com/uploads/1/3/0/5/130546040/8090812.pdf
    • http://cbdmeditreats.com/uploads/1/3/0/6/130621248/5720654.pdf
    • http://spanishmaincocoabeach.com/uploads/1/3/0/7/130739592/8623033.pdf
    • http://martinebelanger.com/uploads/1/3/0/8/130813780/aefd002bd5.pdf
    • http://iatsetwulocal874.com/uploads/1/3/0/6/130604666/xixosob.pdf
    • http://individyouality.com/uploads/1/3/1/3/131379510/8689671.pdf
    • http://woofsandroofs.com/uploads/1/3/1/4/131406970/libozupijewonexejis.pdf
    • http://restorationchurchag.org/uploads/1/3/0/7/130775522/5602510.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000060d3.bin
bb6f5acbfdaa984bb79385c611775f1f9376d56de32b752a0c891beaa402b162		 pdf-font-stream PDF embedded font (sfnt) at offset 0x60D3 8000 bytes
font_01_sfnt_off00008009.bin
6a51e6b8f4328f7ace1819cabb52c31d6f88f37788dedbdf121899c6e5a6ea9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8009 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.