Malicious PDF — malware analysis report

Static analysis result for SHA-256 4ac5368a1ef486d0…

MALICIOUS

PDF

43.7 KB Created: 2020-04-05 06:14:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: d641f90bd58ae138fb7cb62511d96031 SHA-1: 0480b0c276213647ed278fd74a5e000ba912f0ca SHA-256: 4ac5368a1ef486d0a8695739415ddf89f37f46e1f633ba7a592ec2ebcea64fb7
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document exhibits characteristics of a link farm, with numerous external links pointing to other PDF files across various domains. The ML classifier strongly indicated maliciousness. The document body, though partially corrupted, contains references to the external links, suggesting a deliberate attempt to direct users to these resources. The primary attack pattern involves leveraging these links, likely for SEO manipulation or to distribute further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jenetics.services/uploads/1/3/0/4/130435672/130435672.html#tecnicas+de+redaccion+de+textos+ejemplos
    • http://htoursil.com/uploads/1/3/0/5/130590312/2936967.pdf
    • http://ivory-group.net/uploads/1/3/0/8/130814993/d7c9fac.pdf
    • http://osha30.net/uploads/1/3/0/5/130551456/panupidule-kobanupabada-xaxemezibu.pdf
    • http://skynet.institute/uploads/1/3/0/6/130639655/947050e.pdf
    • http://barmitzvahbelt.com/uploads/1/3/1/4/131406354/mogonazo.pdf
    • http://ebenezermemorials.com/uploads/1/3/0/7/130739127/7033181.pdf
    • http://pallavikanungo.com/uploads/1/3/0/5/130588467/76b88a2206c09.pdf
    • http://soulsistersoaps.com/uploads/1/3/1/1/131163783/loxatexosofi-fifarifavunudi-duzudavuz.pdf
    • http://domoretours.com/uploads/1/3/0/5/130551896/posajagebixobivifol.pdf
    • http://connectionsforchange.net/uploads/1/3/0/6/130620950/04aff2866fd4.pdf
    • http://www.diyforfive.com/uploads/1/3/1/0/131070149/vitelinagen-wules-bojuk-funumisebabo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000080f6.bin
20018f2904bc82c39bab48d366a6193579a57a5945503f10ba4e234a28eae2b7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80F6 8672 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.