Malicious PDF — malware analysis report

Static analysis result for SHA-256 4315872a54c02053…

MALICIOUS

PDF

36.5 KB Created: 2020-06-01 05:39:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f8af25049fe02362850e0040581fd005 SHA-1: a3a2b9abb707e21950c37e2384f70c5d9f7f5b2e SHA-256: 4315872a54c02053c876802e3e41333c59bbef9c493d84d4ac0d0ea8cc42a2f7
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by an ML classifier as malicious and contains a large number of external links, a technique often used for SEO spam or to distribute malware. One of the extracted URLs, http://shopmycloset4you.com/uploads/1/3/1/6/131637517/131637517.html#travel+china+guide+zodiac+compatibility, is suspicious. The document body contains garbled text but also repeats the suspicious URL and several benign-looking WordPress URLs, suggesting a link farm or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shopmycloset4you.com/uploads/1/3/1/6/131637517/131637517.html#travel+china+guide+zodiac+compatibility
    • https://suvoxekegir.files.wordpress.com/2020/05/26613950617.pdf
    • https://suzofosal.files.wordpress.com/2020/05/39092352014.pdf
    • https://pelidabavigi.files.wordpress.com/2020/06/73019156597.pdf
    • https://zujanonazuk.files.wordpress.com/2020/05/vasitebivozu.pdf
    • https://mobulozasa.files.wordpress.com/2020/05/gozivivagiwunam.pdf
    • https://varotedip.files.wordpress.com/2020/05/zadatidepuboxojamifer.pdf
    • https://kifesebo.files.wordpress.com/2020/05/ravabimusozuvodat.pdf
    • https://susawakixer.files.wordpress.com/2020/06/dosebi.pdf
    • https://porugisi.files.wordpress.com/2020/05/74436517788.pdf
    • https://sewabebodepu.files.wordpress.com/2020/05/zupakawumilulexake.pdf
    • https://pumoduz.files.wordpress.com/2020/05/nabefuja.pdf
    • https://navurigafevu.files.wordpress.com/2020/05/lizokefadekujolaxinowu.pdf
    • https://doxozibetu.files.wordpress.com/2020/05/givuvoberogufifududofa.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000057d0.bin
6181562772447b97c653f001fc128a0ac08597f9e634bec0591c5a0ddf9210fa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x57D0 3528 bytes
font_01_sfnt_off0000645d.bin
048fea3e94b4294492715938afb4454f8bbbd668245b89a448445d2ae72f7dbc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x645D 9940 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.