Malicious PDF — malware analysis report

Static analysis result for SHA-256 49d58a25bfff49a0…

MALICIOUS

PDF

55.2 KB Created: 2020-03-29 11:20:12 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c7f9f9967eb0ad569a93f8aed37e11ef SHA-1: d30cebe75597bc09bd4dbd0d740f74f46117ec77 SHA-256: 49d58a25bfff49a088e0e781ed344d698643d61445a2509d4eba982bfacea1f5
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body contains the text 'Mi querido viejo descargar mp3', which appears to be a lure. The primary function seems to be directing users to a link farm, likely for SEO poisoning or to host further malicious content. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.equestrianeliteatapplejackfarm.com/uploads/1/3/0/4/130476266/130476266.html#mi+querido+viejo+descargar+mp3
    • http://thecollegefit.com/uploads/1/3/0/4/130476298/8003103.pdf
    • http://duckduckgoosesitters.com/uploads/1/3/0/6/130639821/2791b.pdf
    • http://lakeseniors.com/uploads/1/3/0/6/130621503/wosofopuram_vegojomawiwiw_voloxofataruji.pdf
    • http://caffeinatedinspirations.com/uploads/1/3/0/2/130270921/nivuwewerab-nozil.pdf
    • http://gpccivilsltd.com/uploads/1/3/0/8/130813643/b5684d1389.pdf
    • http://beddoesgroup.com/uploads/1/3/0/7/130739508/vutafodebejutul-dekunix.pdf
    • http://washnwhirl.com/uploads/1/3/0/4/130489410/pituxaxosem_bamurazitipuvo_xegimefadigu.pdf
    • http://arderns.com/uploads/1/3/1/0/131070786/fc207f6e.pdf
    • http://wall-merch.com/uploads/1/3/0/2/130272524/5803969.pdf
    • http://valuesalescoaching.com/uploads/1/3/0/5/130589048/8625475.pdf
    • http://tru-tek.org/uploads/1/3/0/6/130621163/7800721.pdf
    • http://mulussweets.com/uploads/1/3/0/8/130814581/e4357c46aaef.pdf
    • http://webdisk.davidselen.be/uploads/1/3/0/6/130604642/nasifovasaralun.pdf
    • http://mandipeeklpc.com/uploads/1/3/0/6/130604702/0315c821.pdf
    • http://sharemylegacy.com/uploads/1/3/0/7/130775201/kozuginafefug.pdf
    • http://biibiichildcare.com/uploads/1/3/0/5/130588875/40a5189bf4.pdf
    • http://eyeimagiine.com/uploads/1/3/0/5/130545998/873686.pdf
    • http://mariamirojohnson.com/uploads/1/3/0/4/130478704/bc29feaa7740e.pdf
    • http://ahonmultiservice.com/uploads/1/3/0/7/130740364/35bc6fee201.pdf
    • http://greerblackmon.com/uploads/1/3/0/2/130289658/debopinokopo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007f47.bin
8f4e17140505bad44f4213e21f1e041feb5bad2ab480e79fb1dc86c2d8089215		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F47 9380 bytes
font_01_sfnt_off0000a0b9.bin
50224c6c483bfa86a10f62efd7baa2c756f8036c0a911ebd537387e21b2fb6f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA0B9 2732 bytes
font_02_sfnt_off0000aa50.bin
18cd7b970c7d49fd53d9e09d51a6f3199ab35cacf8bafa2821406ad2f7dccea5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA50 3316 bytes
font_03_sfnt_off0000b7b6.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB7B6 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.