Malicious PDF — malware analysis report

Static analysis result for SHA-256 341342b0729a2a8e…

MALICIOUS

PDF

69.5 KB Created: 2020-03-24 21:54:44 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ec6f84ec278c68490ee23b20d61628ef SHA-1: 05bd4dce7d9b81a936075948ff2717777c5537ac SHA-256: 341342b0729a2a8e13bb2c1dae9e9a59dcc6d8fb0a863312d695ad5c9f9e20ee
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document was flagged as malicious by an ML classifier and contains a large number of external links, indicating a potential link farm or redirection scheme. The document body, though partially obfuscated, contains URLs that are likely part of this scheme. No scripts were extracted, but the sheer volume of outbound links suggests an attempt to manipulate search engine results or direct users to malicious content hosted on numerous domains.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://aurorahardwoodwest.com/uploads/1/3/0/9/130969818/130969818.html#que+es+propedeutica+y+semiologia
    • http://leanworkingcapital.com/uploads/1/3/0/6/130604049/funaxilawupomunafum.pdf
    • http://www.portsmouthweddingphotographers.com/uploads/1/3/0/5/130540083/0c352b1b36.pdf
    • http://publiceyenetwork.net/uploads/1/3/0/3/130313415/lipone.pdf
    • http://carnivalqueendesigns.com/uploads/1/3/0/8/130873861/kepulogug_rosobaj.pdf
    • http://burnt-creek.com/uploads/1/3/0/6/130621789/2449334.pdf
    • http://sherwoodparkpianolessons.com/uploads/1/3/0/4/130483623/guleforogo.pdf
    • http://falaliyulechengbaijialehaowan.br3h.com/uploads/1/3/0/2/130270790/zunipobase-susazi-puluvo-wegeve.pdf
    • http://withyouinmindresaleshoppe.com/uploads/1/3/0/2/130271111/jopofasinovidiko.pdf
    • http://stockwits.com/uploads/1/3/0/9/130969838/5522228.pdf
    • http://myanmarlogisticsolutions.com/uploads/1/3/0/6/130621100/zakekepawazujiwuwof.pdf
    • http://www.live-to-laugh.com/uploads/1/3/0/7/130738863/bikuxivawonated.pdf
    • http://belliesandbundle.com/uploads/1/3/0/3/130324167/dekuxenas.pdf
    • http://therosegoldketocollection.com/uploads/1/3/0/6/130621025/wivugezimuzuj.pdf
    • http://smpcreditrepair.org/uploads/1/3/0/4/130488503/wuzawig-wuvuloxizelatam-sidifulox.pdf
    • http://faerieeverafter.com/uploads/1/3/0/5/130550855/jotawibik.pdf
    • http://ktsky1.com/uploads/1/3/0/5/130551249/2151226.pdf
    • http://dccyberwarriors.com/uploads/1/3/0/7/130776630/e9de15.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000be07.bin
d95224fb9128dfaa446122a46a44d998d4f155c2566bb29677a8ad1de687addb		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBE07 10216 bytes
font_01_sfnt_off0000e1e2.bin
d99898257ed3bb8cec1d443d87cba10a46db4552802940897afc750f0b2a3e21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE1E2 4436 bytes
font_02_sfnt_off0000f11a.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF11A 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.