Malicious PDF — malware analysis report

Static analysis result for SHA-256 4fa9b0e97eaeb5c7…

MALICIOUS

PDF

41.5 KB Created: 2020-04-04 08:07:18 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: da31c1d17c3cb2c4716aabbf70400697 SHA-1: ee8f2bc94918e47674382f7e29e6fda39a836026 SHA-256: 4fa9b0e97eaeb5c7dfd99d0acbbe693d813700b0e96a1c20d99f92749a8b3f6e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to numerous other PDF files hosted on various domains, suggesting a link farm or distribution network. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, and the document body text is largely unreadable binary data, but the presence of the link farm and the ML score indicate a high likelihood of malicious intent, possibly to distribute further malware or engage in SEO spam.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ciggysound.com/uploads/1/3/0/9/130969735/130969735.html#linda+mensagem+de+boa+noite+para+meu+amor
    • http://colmexservices.net/uploads/1/3/0/7/130775478/482d2aebc94c4.pdf
    • http://candles.studio/uploads/1/3/0/7/130740351/3ca5af0acda6bc.pdf
    • http://sayurichino.com/uploads/1/3/0/2/130289431/123a70152b7ae45.pdf
    • http://netnoodle.net/uploads/1/3/0/2/130291475/petinasafu.pdf
    • http://catchabreakmedia.com/uploads/1/3/0/7/130775259/139050.pdf
    • http://paradisezion.com/uploads/1/3/0/7/130775129/6579435.pdf
    • http://thecraftyteacher18.com/uploads/1/3/1/4/131409616/logumularagapon.pdf
    • http://keepyourappointment.com/uploads/1/3/0/8/130814284/db45f.pdf
    • http://host37.carmichaelnl.com/uploads/1/3/0/2/130271177/7217221.pdf
    • http://257bennettstreet.com/uploads/1/3/0/2/130270990/8f2b6123700d6.pdf
    • http://profondomare.com/uploads/1/3/0/7/130738534/jatoju.pdf
    • http://preposemethod.com/uploads/1/3/0/6/130620919/lebugexopulusimo.pdf
    • http://faithhopelovesa.com/uploads/1/3/0/2/130291592/gimap.pdf
    • http://nluna2.com/uploads/1/3/1/4/131408204/digurosaxerun_morejo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000699a.bin
2b77cbd404d4000da38bd0f6e5282a890818c5a14b5b8713a34d308c98a99a7e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x699A 9536 bytes
font_01_sfnt_off0000893a.bin
382c4be7e041d01bd65ccb497ac208f5a885daa69a4c396d10b6ab7a28a33250		 pdf-font-stream PDF embedded font (sfnt) at offset 0x893A 3296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.