Malicious PDF — malware analysis report

Static analysis result for SHA-256 1485c0dba9742791…

MALICIOUS

PDF

39.9 KB Created: 2020-04-05 06:04:37 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9594a7c188287e0ad9c528727abbe7cd SHA-1: 651a1de71473d3a78b8f968b009af804a752679e SHA-256: 1485c0dba9742791ce1c9722f25e0492dcfc6e9d792fea3f111b19554d91b6cf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

This PDF file exhibits characteristics of a link farm or SEO manipulation tactic, as indicated by the PDF_SEO_LINK_FARM heuristic. It contains numerous embedded external URLs pointing to other PDF files hosted across various domains. The ML classifier also strongly flagged this PDF as malicious. The primary goal appears to be directing users to a large number of external resources, potentially for distributing malware or for search engine ranking manipulation.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ankezimmermann.ca/uploads/1/3/0/6/130604672/130604672.html#clasificacion+de+compresores+alternativos
    • http://libertycitizen.com/uploads/1/3/0/4/130478307/vexaluviropem.pdf
    • http://pilosbeauty.com/uploads/1/3/1/3/131383821/rukugejuzida_dugole.pdf
    • http://microblading-amsterdam.com/uploads/1/3/0/6/130640006/juzunumuvig_setul_wikagidubiv_dofobibena.pdf
    • http://awestruckwellness.com/uploads/1/3/0/7/130775639/251c7.pdf
    • http://dcunionsquare.com/uploads/1/3/0/4/130489351/kifesiredono.pdf
    • http://stringsforhope.org/uploads/1/3/1/0/131070173/371068.pdf
    • http://cgreeves.com/uploads/1/3/0/5/130551427/vujukovikidod.pdf
    • http://alt-shn.org/uploads/1/3/0/5/130590687/wonajisorem_fiwer_xovojisino_revadosumifawab.pdf
    • http://dazzlingweddingsandevents.com/uploads/1/3/0/5/130588352/20c708e231.pdf
    • http://polaris2014.com/uploads/1/3/0/5/130544009/64bd0.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000070a9.bin
b22542c66ea84406e7abd014993d998c9dafd7a1911d4e2af47018320e30dfb4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x70A9 9120 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.