Malicious PDF — malware analysis report

Static analysis result for SHA-256 1d902d72a1c291a0…

MALICIOUS

PDF

52.8 KB Created: 2020-04-10 21:02:46 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 36f779cf6d85a43f201a65811b20acbd SHA-1: b910b83d2e0151361b23f44511429ca754e28108 SHA-256: 1d902d72a1c291a0da299e3647e42901a1fd4604d9ebb22eb177d1e59f7c15c2
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous external links, many of which point to seemingly unrelated domains and are structured to appear as SEO-optimized content. One prominent link directs to 'queen-bling-jewelry.com' with a query string referencing 'brutal doom black edition android', suggesting a lure to a malicious site. The ML classifier strongly flagged this PDF as malicious, indicating a high probability of malicious intent. No scripts were extracted, but the extensive link farm and ML detection point to a social engineering attack.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://queen-bling-jewelry.com/uploads/1/3/0/8/130814515/130814515.html#brutal+doom+black+edition+android
    • http://alta-prorealty.ca/uploads/1/3/0/9/130969139/vebakurumoxobarozir.pdf
    • http://terrariumhairspa.net/uploads/1/3/0/8/130814926/0e4a8.pdf
    • http://gatheredboutique.com/uploads/1/3/0/5/130588799/rurubinoda.pdf
    • http://avaspady.com/uploads/1/3/0/2/130271179/7808668.pdf
    • http://widogtrainingmadefun.com/uploads/1/3/0/4/130483385/pebawe_kelulixenam_gapapunatalusap_safesoxaku.pdf
    • http://wegranic.com/uploads/1/3/1/4/131454436/winutejikijiw.pdf
    • http://sacbegroup.com/uploads/1/3/0/8/130814065/palovubesef.pdf
    • http://legacylegalconsulting.com/uploads/1/3/0/5/130588442/rofawidovajapumimebu.pdf
    • http://southatlanticinteriors.com/uploads/1/3/0/8/130814248/435253.pdf
    • http://1159design.net/uploads/1/3/1/4/131407882/7312616.pdf
    • http://leegayle.net/uploads/1/3/1/4/131482874/dc6483f41442e.pdf
    • http://cbygroupinternational.com/uploads/1/3/0/5/130588703/692eebba207.pdf
    • http://clumsybutcute.com/uploads/1/3/0/6/130639976/wiluwax_popizuredub_palox_zesuzep.pdf
    • http://sacbegroup.co
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009bee.bin
4c1e352c6b045200dbb42be0977ea443b9fdb5e0b198a4b2cadbbfb6b5d18920		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BEE 8956 bytes
font_01_sfnt_off0000be40.bin
50224c6c483bfa86a10f62efd7baa2c756f8036c0a911ebd537387e21b2fb6f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE40 2732 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.