Malicious PDF — malware analysis report

Static analysis result for SHA-256 3f7e39de0aa0bbd2…

MALICIOUS

PDF

44.9 KB Created: 2020-03-21 13:42:07 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 28edecf442445bb3093d3ec81fb2f5fb SHA-1: 84a2d05298a3e5822cb00ce8472f4dec23c54580 SHA-256: 3f7e39de0aa0bbd2a23fdd9ac41f3b2a7f760fb743556a4c5cf40bc8045e7c4d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to similarly structured URLs on different domains. The document body, though partially corrupted, contains text related to memorizing PMBOK processes and mentions wkhtmltopdf, suggesting a lure to educational content. The primary heuristic, PDF_SEO_LINK_FARM, indicates a mass of external links generated for SEO purposes, likely to distribute malicious content or drive traffic. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://andresexpres.com/uploads/1/3/0/7/130740183/130740183.html#how+to+memorize+the+49+processes+from+the+pmbok+6th+edition+process+chart
    • http://replenishmysoul.com/uploads/1/3/0/6/130639682/peziterusobevol.pdf
    • http://www.catholicartistconnection.com/uploads/1/3/0/6/130639092/61b8acbc895f2.pdf
    • http://petscertification.com/uploads/1/3/0/6/130605278/3a13688229eae2.pdf
    • http://dentribe.com/uploads/1/3/0/3/130313167/senelibitakanojor.pdf
    • http://moccson.com/uploads/1/3/0/6/130639699/bemutadiw.pdf
    • http://dandelionsandhoneybees.com/uploads/1/3/0/7/130739480/1373136.pdf
    • http://easyduty.org/uploads/1/3/0/9/130969950/kodumexevoxewix.pdf
    • http://lovemugshop.com/uploads/1/3/0/4/130477039/kepar.pdf
    • http://truedefinitionlab.com/uploads/1/3/0/4/130435611/fuwokilelasonenuj.pdf
    • http://reparacoeselectricidadelisboa.com/uploads/1/3/0/7/130739131/gesoko.pdf
    • http://mikaylamaier.com/uploads/1/3/0/3/130379202/bugevemunono.pdf
    • http://learning-sciences.com/uploads/1/3/0/6/130639681/108f9fa38b228.pdf
    • http://benjaminthebookworm.com/uploads/1/3/0/5/130546657/4958460.pdf
    • http://paparazziservices.com/uploads/1/3/0/5/130544001/8c1d6749145c3.pdf
    • http://ballinghamgolf.com/uploads/1/3/0/5/130551174/sekipudus.pdf
    • http://saverioesara.com/uploads/1/3/0/7/130739264/lubafa.pdf
    • http://cieldegaule.com/uploads/1/3/0/4/130476736/pizesevof.pdf
    • http://southriverhighgreenteam.com/uploads/1/3/0/5/130589460/3406870.pdf
    • http://heizmanrealestatemanagement.org/uploads/1/3/0/7/130740130/funufikegoge.pdf
    • http://www.sixfifteenhandmade.com/uploads/1/3/0/2/130272603/5abc7e.pdf
    • http://www.oxography.com/uploads/1/3/0/9/130969311/4125053196.pdf
    • http://www.portsideresortcondos.com/uploads/1/3/0/5/130590047/7542b7a.pdf
    • http://markbarnettcarefunding.com/uploads/1/3/0/3/130379098/55bc8bf0b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007aad.bin
d10d5d86ff06807dceb651e4bab4520f458785b5a892fd882dca2dc56869a184		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AAD 8720 bytes
font_01_sfnt_off00009c2b.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9C2B 1708 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.