Malicious PDF — malware analysis report

Static analysis result for SHA-256 2563bc59a898d8be…

MALICIOUS

PDF

47.8 KB Created: 2020-03-28 12:43:01 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0d13a54f3aae5114cccc35ffdbc31cd5 SHA-1: b97899460376bd1764bafa926ee943e104208950 SHA-256: 2563bc59a898d8be04f9e70b9a65caa1dd0701790e7713d804ce545d6c672472
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of embedded external links, characteristic of a link farm or SEO spam technique used to distribute malicious content. The ML classifier strongly indicated maliciousness. The document body contains garbled text and embedded URLs, suggesting it is not intended for legitimate user consumption but rather as a vehicle for directing users to potentially harmful websites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kimresine.ca/uploads/1/3/0/8/130874317/130874317.html#reaccion+quimica+reversible+ejemplos
    • http://davisenergymedicine.com/uploads/1/3/0/7/130740514/binefez-bamirudefepoget-mevivideko.pdf
    • http://engagesw.com/uploads/1/3/0/6/130639712/948114.pdf
    • http://clientdash.co/uploads/1/3/0/5/130590779/fd3a42fe410.pdf
    • http://treatsoficeland.com/uploads/1/3/0/8/130814020/5cf174a8920f.pdf
    • http://validationqualitysolutions.com/uploads/1/3/0/6/130621675/vufasuxi.pdf
    • http://mx.marrakech-guided-tours.com/uploads/1/3/0/5/130546209/vanonenar-xemutogix-jaxila.pdf
    • http://freelas.net/uploads/1/3/0/8/130814714/3658b29f55b5a.pdf
    • http://ganeshastroscience.com/uploads/1/3/0/6/130621741/1748772.pdf
    • http://prodesignsupport.net/uploads/1/3/0/8/130874313/nukufa.pdf
    • http://hereandnowheart.com/uploads/1/3/0/6/130639746/nikuves_vuzodolada.pdf
    • http://buyersdirectrealestate.com/uploads/1/3/0/7/130739786/migogi-winaxu-lovoxiwevi-senob.pdf
    • http://alabamamx.com/uploads/1/3/0/7/130740169/425a7.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006edc.bin
b6bb718be281574aef57b8b432163015223e28cf699f426b9db27140b239ecc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EDC 9536 bytes
font_01_sfnt_off000090d5.bin
4144669cd0414b4668a4ab24666780f2909a4ba68007f54639ea08f485405f3f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x90D5 2784 bytes
font_02_sfnt_off00009a8b.bin
ef518990ed345b433102152cd2a99af43d72f2a0d9bbb7ea4f114d5b2e17157e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A8B 16184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.