Malicious PDF — malware analysis report

Static analysis result for SHA-256 5699f48bc2687472…

MALICIOUS

PDF

40.8 KB Created: 2020-04-04 14:15:57 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: d49bd2df66cbefb508b417299e26870c SHA-1: 249812ef76c36d8399fe78174a13e44b44986c70 SHA-256: 5699f48bc2687472fa1ef3956e2a20a0309de21796d227e27d8d0c47997b5d38
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

This PDF document was flagged by a machine learning classifier as malicious. It contains a large number of external links, many pointing to other PDFs hosted on various domains, suggesting a link farm or SEO abuse tactic. The document body contains a reference to 'Hobart handler 140 mig welder reviews', which appears to be a lure to attract traffic to these link farms. No scripts were extracted, but the sheer volume of outbound links to potentially malicious content is the primary indicator of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nupelicanparty.org/uploads/1/3/0/5/130542734/130542734.html#hobart+handler+140+mig+welder+reviews
    • http://sachingolf.com/uploads/1/3/0/3/130312953/piresarexab_jawamilavuxevu.pdf
    • http://amazons-finest.com/uploads/1/3/0/5/130543054/wifigozawovo.pdf
    • http://bretagne-cmb.net/uploads/1/3/0/8/130874565/mimexaseragogokuko.pdf
    • http://goldenspiraldesigns.com/uploads/1/3/1/3/131381802/pejisabotelekaxux.pdf
    • http://marthym.com/uploads/1/3/1/3/131380383/zomevirezosot.pdf
    • http://sacredzones.com/uploads/1/3/0/5/130589283/takukobi.pdf
    • http://equiferusmedia.com/uploads/1/3/0/5/130590508/fageseda_wejixevad_zovudepu.pdf
    • http://gwygcustom.com/uploads/1/3/0/6/130622073/8027778.pdf
    • http://amandamarquezdance.com/uploads/1/3/1/4/131407395/4063603.pdf
    • http://www.messageinmusic.be/uploads/1/3/1/3/131398479/fujixujigolev.pdf
    • http://cocominksstore.com/uploads/1/3/0/5/130539679/rasibivefalozes.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cdd.bin
11b246734ca0f485a9a41ecd105e934bcff572e702b79386e2a1644c98aaa78b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CDD 2008 bytes
font_01_sfnt_off000075fb.bin
0bcab92730471010d725dee5d52870b87122defd86edeb1be5f57948d4c4d7a5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x75FB 8264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.