Malicious PDF — malware analysis report

Static analysis result for SHA-256 2cd64424679967fa…

MALICIOUS

PDF

34.4 KB Created: 2020-04-15 05:11:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 1b4e08fad98b18c426ffafc79c25ef4e SHA-1: 7dd99b710468023baaf0909d7de030000346349a SHA-256: 2cd64424679967fa71469735399d80e67c13f6e8c59ba9ea10c270106961b1e7
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are numerically or generically named and hosted on unrelated domains, indicating a link farm or SEO spam operation. The document body suggests a lure related to educational worksheets, but the primary function appears to be redirecting users to a network of malicious or spam-related websites. No scripts were extracted, and the maliciousness is derived from the extensive link farm heuristic and the ML classifier.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aboutusinvestment.com/uploads/1/3/1/4/131407760/131407760.html#gcf+and+lcm+worksheet+with+answers+pdf
    • http://tanyaszommer.net/uploads/1/3/1/4/131437831/7600011.pdf
    • http://fosterhauer.com/uploads/1/3/1/3/131379938/503471.pdf
    • http://brianedwardofficial.com/uploads/1/3/0/6/130639462/9274777.pdf
    • http://bearlakebearsfootball.com/uploads/1/3/0/6/130604048/tijuxovidi.pdf
    • http://thaiboq.com/uploads/1/3/0/5/130590158/wavikiteviz-xexafibefejelin-vozili-besifafozadarin.pdf
    • http://sweetmaddies.com/uploads/1/3/0/9/130969191/jexuvaleri.pdf
    • http://seafoodfestivalgiveaways.com/uploads/1/3/0/6/130639642/xorobojuwusare.pdf
    • http://firstbostonconsultingcorp.com/uploads/1/3/1/4/131453780/zozezug_sasel_koxapijo.pdf
    • http://topographyandink.com/uploads/1/3/1/4/131407365/koxejado_gikikavej.pdf
    • http://livemusicgozo.com/uploads/1/3/0/7/130739833/denuxa_vumoweso.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000054de.bin
5f468728ac4c96cdc59d2ae5054f631cb18370e8a1826b8dbeb3943646c076d7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x54DE 7940 bytes
font_01_sfnt_off000073c5.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0x73C5 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.