Malicious PDF — malware analysis report

Static analysis result for SHA-256 170515f1bb98d5bc…

MALICIOUS

PDF

39.5 KB Created: 2020-05-24 21:50:38 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: b76be8daea8ff80501dc29b4e2c153c1 SHA-1: 573867abc8d8b095dafca1eb729284dafd8b2922 SHA-256: 170515f1bb98d5bc337d7e4933510eb0cbee72838b3c75374c8d1b7cd040b75b
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier and exhibits characteristics of a link farm, embedding numerous external URLs. The heuristic 'SE_PASSWORD_ARCHIVE_LURE' suggests a common tactic where users are prompted to open password-protected archives, likely to bypass security scanners. The embedded URLs, such as http://2g2.undesirable.us/uploads/1/3/0/3/130379412/130379412.html, are indicative of a distribution or redirection mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://2g2.undesirable.us/uploads/1/3/0/3/130379412/130379412.html#sistema+tatico+de+defesa+do+futsal
    • http://merakiservices.org/uploads/1/3/0/4/130477372/6b2a2f.pdf
    • http://precisionsharpeningusa.com/uploads/1/3/0/2/130289282/4396549.pdf
    • http://washingtonsungrown.com/uploads/1/3/0/6/130639659/ledakilebefugutozaxo.pdf
    • http://charmcityhempstore.net/uploads/1/3/0/2/130271038/6e62466e885.pdf
    • http://conexioroma.com/uploads/1/3/0/5/130588478/suvorejogojuzi.pdf
    • http://rusticarrowofnc.com/uploads/1/3/0/2/130289205/7844827.pdf
    • http://philippinepickleball.shop/uploads/1/3/0/4/130483759/1934320.pdf
    • http://careercoachingtraining.com/uploads/1/3/0/2/130274269/daronokiniwiwuve.pdf
    • http://goredolls.com/uploads/1/3/1/4/131454766/muburibabazonufamuxe.pdf
    • http://telliotx3.com/uploads/1/3/0/6/130620367/8471677.pdf
    • http://rgb-mods.com/uploads/1/3/0/4/130476089/mosujum-sigulivafexebux-damubopaverim-tamutezejexuki.pdf
    • http://chargecarehealth.com/uploads/1/3/0/5/130590322/296321.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bcf.bin
a096140e89362bfcf915051d31cad8ec0af53b630cf10ac41593fa30c2a961fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BCF 12852 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.