Malicious PDF — malware analysis report

Static analysis result for SHA-256 5b6877e78c30288f…

MALICIOUS

PDF

43.3 KB Created: 2020-04-09 01:57:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: a1fd3f70e927be941f01640a1f5c70d4 SHA-1: 9726e110cc5166339e204e5f02ea6a826f95de8c SHA-256: 5b6877e78c30288fe0b4cab35b36f34f6a786d7de289ba5999d970869b475b60
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains a large number of embedded external links, many of which point to similarly structured URLs on different domains. This pattern is indicative of a link farm or a mechanism to distribute malicious content across multiple sites. The ML classifier strongly flagged this PDF as malicious, supporting the assessment that it is not benign. No scripts were extracted, but the sheer volume of external links suggests a malicious intent to redirect users to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kidsbypatri.com/uploads/1/3/0/6/130603743/130603743.html#traduction+hallelujah+leonard+cohen
    • http://doworkdenver.com/uploads/1/3/1/3/131381901/364958.pdf
    • http://theaxistence.com/uploads/1/3/0/6/130604229/5425290.pdf
    • http://godutchtradingco.com/uploads/1/3/0/7/130740433/wakepakibala.pdf
    • http://cellupica.ca/uploads/1/3/1/3/131379769/xoxinenejun.pdf
    • http://slpkeys.com/uploads/1/3/1/3/131379860/1679716.pdf
    • http://the-nbcc.com/uploads/1/3/0/5/130544898/guwawebajorinaw_vivijafawim_tanuwaxepuwibi.pdf
    • http://larschellberg.com/uploads/1/3/1/0/131070711/wofikigaki.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006834.bin
a06022d14e2729ceb262a33ee32f9490a3943b242a0aa2d9f55d7a6d9f610533		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6834 9748 bytes
font_01_sfnt_off00008a2c.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8A2C 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.