Malicious PDF — malware analysis report

Static analysis result for SHA-256 5c044f7c6e6a209d…

MALICIOUS

PDF

72.8 KB Created: 2020-04-06 05:27:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ce989c07363b152713c0d5c590412899 SHA-1: b5830d7ffdeb3b06bf8d5b4934e4498def4c82ec SHA-256: 5c044f7c6e6a209dea978b9faac593840cfc78b2d072e712c2f425a9f417af59
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, identified as a link farm, suggesting a tactic to manipulate search engine results or redirect users to potentially malicious content. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the PDF structure and the numerous external links indicate a malicious intent to redirect users, likely as part of a phishing or SEO spam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9815

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bonnydoonishome.com/uploads/1/3/1/3/131382982/131382982.html#what+is+auspices+mean
    • http://mx.catalinapacificunderground.com/uploads/1/3/0/4/130483422/vawetuziparetan.pdf
    • http://accminlao.com/uploads/1/3/0/4/130488308/temizumolegika_kiture_boxiwawo.pdf
    • http://everoilpaintings.com/uploads/1/3/0/6/130603986/xifar.pdf
    • http://charcoles.com/uploads/1/3/1/4/131482874/119403.pdf
    • http://eytanlab.com/uploads/1/3/1/4/131453325/zamudu.pdf
    • http://innosparktech.com/uploads/1/3/0/9/130969543/30f16.pdf
    • http://runa-ua.com/uploads/1/3/0/5/130590162/b7b0e466.pdf
    • http://circledpawn.org/uploads/1/3/0/7/130739237/kisukirenefam.pdf
    • http://lawnangelsny.com/uploads/1/3/0/9/130969926/bee717db.pdf
    • http://linux.thai.net/projects/fonts-tlwg
    • http://www.thaitux.info
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_010_off0000de5d.bin
6f693709a4271c17c714aa2d4e6d870eb080d0c120a440861b8c6cd0f7210ddd		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDE5D 19516 bytes
font_00_sfnt_off00006c4c.bin
b1118302c5517eb61a6a239cbb0c0398f36a596cc95e76ebefef7294164c1510		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6C4C 7316 bytes
font_01_sfnt_off00007f32.bin
bbd465158f88620f6b89bbc14fd4053a393fda34b464cf5d9625b9580ee6f51f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F32 10240 bytes
font_02_sfnt_off00009546.bin
f9788175c9291f395e3ea249dc69470e5066f03f3dd865f883b5cd78a0a73c6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9546 11356 bytes
font_03_sfnt_off0000bb44.bin
03742b3af56d0894ab5df65dc3134d6d1f1537ecfbbc759efc3d5c9763d8381a		 pdf-font-stream PDF embedded font (sfnt) at offset 0xBB44 6908 bytes
font_04_sfnt_off0000d1f8.bin
4c93801c4768b9cf34ec960e4f85d683fdbe353adcc5a9e70f9f8b41c5e92470		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD1F8 3508 bytes
font_06_sfnt_off0000ff7f.bin
209285855742c6758e3ffd9d874aca3910af01dd296ec59719b0eb83c6708343		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFF7F 7080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.