Malicious PDF — malware analysis report

Static analysis result for SHA-256 5439b8277b2ca58b…

MALICIOUS

PDF

37.6 KB Created: 2020-05-26 22:18:41 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1ef6849665178279bd506baafe4023df SHA-1: 4294c756f97a1f36fcf9c2874bed033f2642951c SHA-256: 5439b8277b2ca58bd01dbf21b0d2c21d850854dffc7cf8c457fd5f662b346c68
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by a machine learning classifier as malicious. It contains a significant number of external links, a technique often used to create link farms for SEO manipulation or to redirect users to malicious content. The document body is heavily obfuscated but contains references to URLs that appear to be part of this link farm strategy. No scripts were extracted, limiting further analysis of direct execution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9939

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mskimsbeautyexchange.net/uploads/1/3/1/3/131381243/131381243.html#ff14+lancer+leveling+guide
    • http://saint11.com/uploads/1/3/0/8/130874223/1b23a9ed1.pdf
    • http://my-coachman.com/uploads/1/3/0/4/130488251/muzewaponemaku.pdf
    • http://dielsiholdings.com/uploads/1/3/1/3/131378814/wopukulo_rugiwax_buvepitokaso.pdf
    • http://hawaiianstyle2556.shop/uploads/1/3/1/3/131382673/xesojavapufol-lulakibi-miporokatire-zexufokunovu.pdf
    • http://hydrovida.com/uploads/1/3/0/8/130813782/delup.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000067f1.bin
b57c032109979d263dc31394eabe37ab578d1d806cf520162c544b7404268db2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67F1 10572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.