Malicious PDF — malware analysis report

Static analysis result for SHA-256 2c8aecdb33e66156…

MALICIOUS

PDF

35.9 KB Created: 2020-05-11 01:38:17 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 37a47c1dfcaa4093da77b530a739550e SHA-1: 7311fe1fa5ab78f3fda1a8d25b2d25a91f8218e4 SHA-256: 2c8aecdb33e66156c89c665958909e56bdee3a11c0657624a6567239e0fdeafd
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a distribution mechanism for further malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the suspicious nature of the extensive external linking.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://iavnt.com/uploads/1/3/0/9/130968958/130968958.html#laboratory+experiments+in+microbiology+11th+edition
    • http://weedinsure.com/uploads/1/3/1/0/131069978/migofoboj.pdf
    • http://ryancayabyab.info/uploads/1/3/0/6/130639082/zuvumilazukamo.pdf
    • http://massagetherapycrystalmclainlmt.com/uploads/1/3/0/7/130776874/zudim.pdf
    • http://precisionnews.net/uploads/1/3/0/8/130874053/zavoj.pdf
    • http://dmholistictherapy.com/uploads/1/3/0/7/130775567/pogavesane.pdf
    • http://cookingeasyfood.com/uploads/1/3/0/3/130323430/takezixawew.pdf
    • http://shopunicycle.com/uploads/1/3/0/3/130324324/wimuki.pdf
    • http://healingleafs.com/uploads/1/3/0/3/130323091/relof.pdf
    • http://kickboxuk.info/uploads/1/3/0/5/130544694/nilejujesotom.pdf
    • http://bhartdesigns.com/uploads/1/3/1/4/131454503/8a3ba846.pdf
    • http://exittales.com/uploads/1/3/1/4/131408954/1457637.pdf
    • http://youbeyou.biz/uploads/1/3/0/5/130589002/c8b84c7.pdf
    • http://inthefoldsbooks.com/uploads/1/3/0/9/130969897/c829761d6e9adf.pdf
    • http://mjzprotectedcropconsultants.com/uploads/1/3/0/3/130313390/6960813.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062c4.bin
074c24c148430744c2342ec15c7083e77a3870ab8870f621942128deedae2601		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62C4 10064 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.