Malicious PDF — malware analysis report

Static analysis result for SHA-256 5f8f7c124d351491…

MALICIOUS

PDF

43.7 KB Created: 2020-04-14 09:02:37 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: caf0edbd0299f51eab169dee5eda86b8 SHA-1: f62c1dc813df3e5fdf5e06802ecbcf8307c5f8eb SHA-256: 5f8f7c124d351491de46c416bbadf43e3ffb285a9e6b2e5e6945939606aa4ed4
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF files, suggesting a link farm for SEO manipulation or malware distribution. The document body and embedded URLs indicate a lure related to cracked software ('maps.+me+pro+apk+cracked'). While no scripts were explicitly extracted, the PDF structure and extensive external linking are indicative of malicious intent, likely to redirect users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9990

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://sapphire-lens-photography.com/uploads/1/3/1/6/131606984/131606984.html#maps.+me+pro+apk+cracked
    • http://driptipvape.net/uploads/1/3/0/9/130969618/5006246.pdf
    • http://cook-edu5.com/uploads/1/3/1/3/131380470/269351.pdf
    • http://thephillycomic.com/uploads/1/3/0/2/130289746/sakigasif-ramebuxegulona-xavixosakigomux.pdf
    • http://haykaymarket.com/uploads/1/3/1/3/131379228/wevarofamego.pdf
    • http://ericeirayogastudio.com/uploads/1/3/1/4/131408100/ce8666d4be4b.pdf
    • http://stellarroseboutique.com/uploads/1/3/0/5/130543539/femimopiwur-fibapumanig-telituz-lekisinajukif.pdf
    • http://carolinafaber.com/uploads/1/3/1/3/131381886/nisegoso.pdf
    • http://ueeservices.us/uploads/1/3/1/0/131069766/4704381.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000063bd.bin
c10f5f10228ae062f56615cc1c3b60c957e2290079f6e41cf14c839c5b94d8b8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x63BD 8812 bytes
font_01_sfnt_off0000850d.bin
83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086		 pdf-font-stream PDF embedded font (sfnt) at offset 0x850D 1708 bytes
font_02_sfnt_off00008d74.bin
1ecf4184025095b9dd82a94d09b3d5222d6507c48361a498b56883e28bdde309		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D74 16084 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.