Malicious PDF — malware analysis report

Static analysis result for SHA-256 31dda94df7531526…

MALICIOUS

PDF

52.1 KB Created: 2020-04-03 05:20:16 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ef666d9de5b8deef80f26be4ead87483 SHA-1: 1edb33c7aaf76fd91300303e7a45e2d78ef9c24a SHA-256: 31dda94df7531526f2a6647b9f7b4604d0d4b9d3aef2c4aeb1ff8a7ca5542e41
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier also strongly indicated maliciousness. The embedded URLs point to various domains, suggesting a link farm or redirection infrastructure. No scripts were extracted, and the document body is largely unreadable binary data, but the presence of numerous external links is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://endopeques.org/uploads/1/3/1/4/131406438/131406438.html#glandula+pituitaria+histologia
    • http://meckatuncc.org/uploads/1/3/0/6/130639764/wemogimapudoxa-lagedopo-fuweziper-dejofolado.pdf
    • http://buenasemilla.net/uploads/1/3/1/1/131164382/6837868bff0.pdf
    • http://iwanttostayinparadise.com/uploads/1/3/0/7/130776338/ruvotexin_pisesuvewar_sotekisubolojiz.pdf
    • http://murphy64.com/uploads/1/3/0/5/130589239/a1d892e1e06c.pdf
    • http://kulalucampkenya.com/uploads/1/3/0/8/130873781/2fb8d3.pdf
    • http://lundytarot.com/uploads/1/3/0/6/130620678/a33d0d98abe.pdf
    • http://modelsinamansion.com/uploads/1/3/0/6/130603683/8050321.pdf
    • http://amazdl.com/uploads/1/3/0/9/130969593/ganozavitama_nejudoguni.pdf
    • http://evelettings.com/uploads/1/3/0/5/130539934/2956071.pdf
    • http://dmrconstructions.com/uploads/1/3/0/5/130588830/talugipamomut.pdf
    • http://lovethyenemy.shop/uploads/1/3/0/5/130588732/5970988.pdf
    • http://jihidesign.com/uploads/1/3/0/9/130969795/rijibabu.pdf
    • http://bodybarn.net/uploads/1/3/0/7/130740199/ropagudu.pdf
    • http://goldsboroeyedoctor.com/uploads/1/3/0/3/130379844/zotidimulu.pdf
    • http://pickleball-germany.net/uploads/1/3/0/6/130639809/8059046.pdf
    • http://charlesmjohnson.com/uploads/1/3/1/3/131380295/6639316.pdf
    • http://highdefinitionhome.com/uploads/1/3/0/7/130775342/samopaloguwos.pdf
    • http://espritdecorpscity.com/uploads/1/3/0/7/130775276/1509374.pdf
    • http://www.chandlersouthgatehotel.com/uploads/1/3/0/4/130483886/jogazo-ritov-buronavim-jixanigababefir.pdf
    • http://dinadeljanin.com/uploads/1/3/1/0/131070767/sanosabuxilobinujaf.pdf
    • http://otjouer.com/uploads/1/3/0/6/130605515/nuxed.pdf
    • http://cectcapecod.com/uploads/1/3/0/8/130813490/14b514926.pdf
    • http://moocpa.com/uploads/1/3/0/7/130775660/367166.pdf
    • http://livingwellcounselingqueensny.org/uploads/1/3/0/5/130588150/9677687.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000827b.bin
8dff618fbf08d3bcb34b3c697a6a0f95f910cc50fe5fef68c7967427d96e7c4a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x827B 8696 bytes
font_01_sfnt_off0000a24d.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA24D 2652 bytes
font_02_sfnt_off0000abb4.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xABB4 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.