Malicious PDF — malware analysis report

Static analysis result for SHA-256 416e6c75771a3313…

MALICIOUS

PDF

34.8 KB Created: 2020-04-27 03:37:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: d366aed1fe3bdeefc36d4fc4d6eb3f5b SHA-1: f66bc222c4101afc88b78558910c89dad0aec28d SHA-256: 416e6c75771a3313d79c1590ae49ca53121a2c45c476cd4c4170d39001d9999a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to other PDF files hosted on various domains, as indicated by the PDF_SEO_LINK_FARM heuristic. The document body also contains a URL pointing to sheriffproperties.com. These links likely serve as a link farm to distribute traffic or deliver malicious content. No scripts were extracted from this sample, and the document body content is largely unreadable, making it difficult to determine the exact nature of the lure beyond the SEO-optimized link structure.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9986

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sheriffproperties.com/uploads/1/3/0/6/130605182/130605182.html#active+aeroelastic+wing+pdf
    • http://selectquartz.com/uploads/1/3/0/2/130291040/1ae3a9bb.pdf
    • http://creativecursaders.com/uploads/1/3/0/6/130639259/wilaxowaguge_majemipiwikud.pdf
    • http://rhythmjackson.com/uploads/1/3/0/6/130621218/84b38eed7699.pdf
    • http://mswoodyard.com/uploads/1/3/0/2/130274241/9e866c92fa0af5.pdf
    • http://alliebuilt.com/uploads/1/3/0/5/130539419/b2e7ede3441.pdf
    • http://342bunkerhill3e.com/uploads/1/3/0/7/130775828/sudududifugaku_bosamajij.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006041.bin
953742d18b2301ccda3a93a0ebc1decb7ee24593140db9ecc369771b3ab950c0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6041 8104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.