Malicious PDF — malware analysis report

Static analysis result for SHA-256 51eccae1128894ca…

MALICIOUS

PDF

35.7 KB Created: 2020-04-09 01:26:04 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 1273e944f88f9083740f31815ac20612 SHA-1: caca2783d5cd569b9207d3cd9982acf740c89188 SHA-256: 51eccae1128894ca5c7e05cf67ecba205d742d6dbfc8552aaeb9ebae758216ee
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are numerically or generically named, suggesting a link farm or SEO poisoning tactic. The document body, though partially corrupted, indicates a lure related to a "Preventive maintenance checklist format". The primary purpose appears to be directing users to a network of suspicious websites, likely for further exploitation or phishing. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cryptosunrising.com/uploads/1/3/0/2/130289158/130289158.html#preventive+maintenance+checklist+format
    • http://ketolistic.com/uploads/1/3/1/3/131383848/2642762.pdf
    • http://nangreypottery.com/uploads/1/3/1/1/131164568/batozil.pdf
    • http://myviccas.com/uploads/1/3/0/7/130739213/rofedogopixovozivo.pdf
    • http://exceedingwanderlust.com/uploads/1/3/0/8/130813846/3771671.pdf
    • http://nathandmaki.com/uploads/1/3/0/3/130324207/mitilisanel.pdf
    • http://abbepsychservices.com/uploads/1/3/0/7/130775758/3262131.pdf
    • http://ammaartdebienetre.com/uploads/1/3/0/2/130272336/wipidot.pdf
    • http://drkrys.com/uploads/1/3/0/3/130379163/xobus.pdf
    • http://thecheerbowdepot.com/uploads/1/3/0/6/130605412/tonoxokex.pdf
    • http://elrodcenter.org/uploads/1/3/0/8/130874264/pofukoxinedawabir.pdf
    • http://premierdraftroofing.com/uploads/1/3/1/4/131407694/6276820b.pdf
    • http://centralcommunitychoir.com/uploads/1/3/0/7/130738940/rulaxa-zadipunus-funulopa-xalozesinaraf.pdf
    • http://campconcordia.net/uploads/1/3/1/3/131383441/sopinukomibu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000662f.bin
9844e257b0e33576aef1a5772e7caa8cb67a27968fee56bc84ce02207922b99f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x662F 7084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.