Malicious PDF — malware analysis report

Static analysis result for SHA-256 17023056941fa5b8…

MALICIOUS

PDF

52.7 KB Created: 2020-03-30 04:10:31 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 62273d5a1520f7d42b8f928e40fff1d5 SHA-1: 917224b7a41c1986e16f7613210595e9c907cb47 SHA-256: 17023056941fa5b85a64787cb0c00f4c1d43a76026de39613f1ce0bf53d368db
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though heavily obfuscated, contains URLs that are likely intended to redirect users to malicious websites. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the sheer volume of external links suggests a link farm or redirection scheme, potentially leading to further malware delivery or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://humannaturefoundation.com/uploads/1/3/0/3/130312944/130312944.html#oraciones+condicionales+en+ingles+ejercicios+resueltos+pdf
    • http://iatlawfirm.com/uploads/1/3/0/2/130289288/7076543.pdf
    • http://greyandbird.com/uploads/1/3/0/8/130814014/994d5387e1542.pdf
    • http://liquorlawsvt.net/uploads/1/3/0/7/130775627/gogibi.pdf
    • http://airporti10bp.com/uploads/1/3/0/6/130603994/7cc0c0d4f9654f.pdf
    • http://www.bzsourcing.com/uploads/1/3/0/8/130873710/e0e334d1a2e4cd.pdf
    • http://ketymae.com/uploads/1/3/1/3/131397983/060db2205dbb2e6.pdf
    • http://carnivalincovington.org/uploads/1/3/0/7/130738896/niriwelej.pdf
    • http://healthbenefits.ca/uploads/1/3/0/6/130639141/1215992.pdf
    • http://fudgejj.com/uploads/1/3/1/4/131411341/1544514.pdf
    • http://light-snowboards.de/uploads/1/3/0/4/130483623/wuxevun_lofizesa_melogoragofug.pdf
    • http://genoshousesounds.com/uploads/1/3/0/5/130588778/lotagodoreg.pdf
    • http://oebdonations.com/uploads/1/3/0/2/130274355/bimajarax.pdf
    • http://nichellejensen4orem.com/uploads/1/3/1/4/131437242/wawan-nabufifi.pdf
    • http://victoriaeyes.com/uploads/1/3/0/5/130588920/5316207.pdf
    • http://yourakashicrecord.com/uploads/1/3/0/2/130288909/mumegewub_vumedi_fokolarogux.pdf
    • http://midcentury-mod.com/uploads/1/3/0/8/130813643/xixelezaro.pdf
    • http://citybestgroup.net/uploads/1/3/0/7/130740563/ponisovepatiru-fulopurirosif.pdf
    • http://dharmacentrecanada.com/uploads/1/3/1/3/131381101/9725801.pdf
    • http://gyokvosolutions.com/uploads/1/3/0/6/130621190/07d1f2e4fd75.pdf
    • http://chelseaheslington.com/uploads/1/3/0/8/130874424/8b67efd.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007672.bin
538b3ceb4c443535c6046df574fc3219a063c71dd2c9ec39c26ae31b1844f6a7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7672 8932 bytes
font_01_sfnt_off00009739.bin
bb48f2028fe1ad439637a07eb22338af9f1535ec846d773e7d96d9d333a872f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9739 2644 bytes
font_02_sfnt_off0000a087.bin
59bfbbdf5c8f6464135d49143f12f3a202864fcefee7c38b9c34e58e14d24d05		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA087 2964 bytes
font_03_sfnt_off0000acdf.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xACDF 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.