Malicious PDF — malware analysis report

Static analysis result for SHA-256 505bfba5416bd4b7…

MALICIOUS

PDF

42.3 KB Created: 2020-03-12 12:56:39 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 07b24c8e1abe5d2e340150d368b3e34e SHA-1: 6b26b38dd4df5dd2ec5ad19b0a2628442bb90b44 SHA-256: 505bfba5416bd4b7c7d94cb388c8a30846a6ad775f50ecce44c6b7d57ab6431e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, many of which point to other PDF files, suggesting a link farm or redirection mechanism. The document body and one of the extracted URLs explicitly mention 'gta vice city cheater apk download for android', indicating a lure for potentially unwanted or malicious software. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://allisonmarketingandapparel.com/uploads/1/3/0/6/130639571/130639571.html#gta+vice+city+cheater+apk+download+for+android
    • http://webdisk.mission-ready.org/uploads/1/3/0/2/130273913/firadera_madofe.pdf
    • http://mrcontractingservices.com/uploads/1/3/0/6/130604251/pelije.pdf
    • http://mesabimusicaltheatre.com/uploads/1/3/0/6/130621657/3598345.pdf
    • http://toneboxdigital.com/uploads/1/3/0/7/130739560/7bf95d1ebdd193.pdf
    • http://dgofire.com/uploads/1/3/0/3/130323449/ziratitoz.pdf
    • http://431775997417950473.com/uploads/1/3/0/8/130814858/vowoju.pdf
    • http://closinggoals.com/uploads/1/3/0/5/130543168/moxex.pdf
    • http://saintfrancismoab.org/uploads/1/3/0/7/130740054/c2966.pdf
    • http://www.skbfitness.com.au/uploads/1/3/0/6/130621124/xaduliwi_ximig.pdf
    • http://wysdom.stthomasdya.org/uploads/1/3/0/8/130873861/dudobufafogiv.pdf
    • http://3coconut.com/uploads/1/3/0/2/130287457/besilorufor-fulaturokiv-dixagom-muwefezojem.pdf
    • http://rldindoorbaseballfacility.com/uploads/1/3/0/7/130738798/f83005b6b05.pdf
    • http://spanningtrees.net/uploads/1/3/0/2/130272364/dutegofolo_sivigogutawu.pdf
    • http://pressplaycommunications.net/uploads/1/3/0/6/130621392/tiwexaruroguw-witidap-munerobewudeb-sazesa.pdf
    • http://hiitech.org/uploads/1/3/0/6/130620399/4163136.pdf
    • http://hostmaster.zestconsultancy.co.uk/uploads/1/3/0/7/130776609/7576203.pdf
    • http://gsg-mail.guardianservices.com/uploads/1/3/0/7/130740224/3706924.pdf
    • http://cloister.useoutside.com/uploads/1/3/0/5/130541116/jibabu.pdf
    • http://taranakitimebank.nz/uploads/1/3/0/5/130545278/3583679.pdf
    • http://chrisministries.com/uploads/1/3/0/6/130621857/388b8bfb0ad9.pdf
    • http://www.shymiahchanelextensions.com/uploads/1/3/0/4/130483949/9848055.pdf
    • http://nowandzenpet.com/uploads/1/3/0/4/130483806/votonosigon-beravenedizifev-mafanipinafed-niwibob.pdf
    • http://goonmud.com/uploads/1/3/0/8/130814601/1980046.pdf
    • http://goonmud.com/uplo
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007b0f.bin
8b50bbe56901692c44ed18a95a16d8cd9dc81f2a506d18d28910608b8c27da88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7B0F 8208 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.