Malicious PDF — malware analysis report

Static analysis result for SHA-256 39dc7850505c2326…

MALICIOUS

PDF

38.4 KB Created: 2020-06-09 02:47:25 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f4d7f930365dfa1ae7cdccdf05edc917 SHA-1: 46fa348eecc5e2d9dd48ce10b473fa93fc2217f3 SHA-256: 39dc7850505c232698bd6d56232e0ad5a958673cbee2ef931d6fb10a050b3739
94 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The primary purpose appears to be directing users to a vast collection of other PDF documents hosted on various domains. The ML classifier strongly indicated maliciousness, supporting the interpretation that this link farm is used for malicious purposes, such as SEO spam or hosting further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mail.sebolt.com/uploads/1/3/0/2/130288394/130288394.html#zillow+grants+pass
    • http://habeshamagazine.net/uploads/1/3/1/0/131070238/vexoropare_pugutagogemalo.pdf
    • http://aikidokenkyukaipennsylvania.org/uploads/1/3/0/7/130739816/tudaxudapopetar.pdf
    • http://cpanel.goodtimesatlanta.com/uploads/1/3/1/6/131637171/9691505.pdf
    • http://rogsonslaser.com/uploads/1/3/0/4/130489157/povofij_badataro_tesarok_rakatuvamag.pdf
    • http://vadaulazilebune.com/uploads/1/3/0/6/130639664/472ff738f714.pdf
    • http://maquinasflexograficas.com/uploads/1/3/0/4/130435909/ragepotojolije_vakubos_kukinavufopupe_gujuzopezenig.pdf
    • http://buyflamingocards.co.uk/uploads/1/3/0/5/130551391/jinotixejirowu-fowuraxame.pdf
    • http://1602partners.com/uploads/1/3/1/4/131406071/sobizarukefoz_notuwikidab_xuzifox_lanureburixoxiv.pdf
    • http://pamdecorators.com/uploads/1/3/0/2/130291640/7393710.pdf
    • http://yourtechsupport.net/uploads/1/3/1/1/131163914/6479680.pdf
    • http://jaimadeitmarketing.com/uploads/1/3/0/6/130604826/1506017.pdf
    • https://duraxemi813454951.files.wordpress.com/2020/06/pibavip.pdf
    • https://vedusax.files.wordpress.com/2020/06/80825538199.pdf
    • https://sebokufani.files.wordpress.com/2020/06/59955227265.pdf
    • https://surefab.files.wordpress.com/2020/06/38147390834.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069e1.bin
7d68c1fc34feda098924d169e70058fbd9c2ca1299c53a111547c35fa75b5514		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69E1 10516 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.