Malicious PDF — malware analysis report

Static analysis result for SHA-256 51c0f21e5dc20c15…

MALICIOUS

PDF

34.8 KB Created: 2020-03-30 19:45:57 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0a62b73891f24e5ecdccd0483aa2dbbe SHA-1: a481da2f28823d0fe0aff152e90627daf1e78eb1 SHA-256: 51c0f21e5dc20c157d9e06e43edfdc3aea25c03f8be15df135b1cea45d9c6e9b
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure related to a movie title, directing users to click on numerous external links. The PDF_SEO_LINK_FARM heuristic indicates a large number of these links, suggesting a link farm or redirection scheme. The ML_NYX_PDF_MALICIOUS classifier strongly supports the malicious nature of this PDF. The primary intent appears to be driving traffic to potentially malicious websites through deceptive content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ashershealth.com/uploads/1/3/0/7/130776299/130776299.html#cirque+du+freak+the+vampire%27s+assistant+full+movie+watch+online
    • http://goghom.com/uploads/1/3/0/7/130776864/7533039.pdf
    • http://tripleauniqueclothing.com/uploads/1/3/0/8/130873915/76536a9eaee9b.pdf
    • http://shopalivemarket.com/uploads/1/3/1/0/131070489/616696.pdf
    • http://pamashleyphotography.com/uploads/1/3/0/4/130477152/315950.pdf
    • http://citylightsremix.com/uploads/1/3/0/6/130604166/zixiv.pdf
    • http://queencitymyc.com/uploads/1/3/0/6/130620834/wirabur-xanet-leganameba-gokit.pdf
    • http://yolandaluna.net/uploads/1/3/0/7/130739731/kowavel-xozekim-bodonu-wujemufakunomu.pdf
    • http://edocig.com/uploads/1/3/0/4/130476885/7418772.pdf
    • http://600southclark.com/uploads/1/3/0/3/130313643/279879.pdf
    • http://lenorenorrgard.net/uploads/1/3/0/7/130738597/6134774.pdf
    • http://sousousakuragi.com/uploads/1/3/0/2/130289630/vorok-pokafakumog-mabug-zobejufog.pdf
    • http://paragoncounseling.com/uploads/1/3/1/4/131407005/nubadam.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005eba.bin
ae006cd67c3ec435f205a3fef8542f96e52ce278616df19a9311472251299e09		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5EBA 7992 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.