Malicious PDF — malware analysis report

Static analysis result for SHA-256 51d61de68c029003…

MALICIOUS

PDF

36.6 KB Created: 2020-06-22 06:49:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: d636ffcbba42d88658a32faf6ae68e61 SHA-1: 8bbe04bb247d60de11bbb41d675a23d0a8b30cc2 SHA-256: 51d61de68c02900377b6a9cabff97d9e9dc6eae161b084be2ce45ca49a08e11f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which are structured as SEO-friendly URLs pointing to PDF files. The document body, though partially corrupted, suggests a lure related to 'lesson plans for text features'. The ML classifier strongly indicated maliciousness. The primary attack pattern involves directing users to a network of linked websites, likely for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://davidptarleton.com/uploads/1/3/0/8/130813804/130813804.html#lesson+plans+for+text+features
    • http://mta-sts.mail.kerrionmission.com/uploads/1/3/1/3/131383647/5174346.pdf
    • http://keduslife.org/uploads/1/3/0/2/130288455/3ea26a9bef4d2.pdf
    • http://ainwc.com/uploads/1/3/0/5/130590541/b2d764b.pdf
    • http://webdisk.trecutr.com/uploads/1/3/0/4/130483142/jiperuwupusizeg.pdf
    • http://eaglepizzeria.net/uploads/1/3/0/4/130476538/8515e2bf4.pdf
    • http://brightboxclub.com/uploads/1/3/1/0/131069753/levolamo.pdf
    • http://mailfilter.sry.com.tw/uploads/1/3/0/5/130551856/sipevivu_niruga_wuxafadaxoli.pdf
    • http://vpn.stmartindp.com/uploads/1/3/0/6/130620972/fowosopa-ledepotutawa-nawuwimo-lofuziro.pdf
    • http://beekind2all.com/uploads/1/3/0/2/130273761/a72369b03bf4b3.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000539f.bin
e16dc18773bd9776f19a9511114bc6ef90742da934f3aa7e2c6b856cff76ccbe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x539F 4736 bytes
font_01_sfnt_off000063c9.bin
3b38f56867df13df04a1f46d668b0bd6de0c4280bde9338c5f5ea2d5f4453b1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63C9 10104 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.