Malicious PDF — malware analysis report

Static analysis result for SHA-256 5fd3d19afa38a790…

MALICIOUS

PDF

67.2 KB Created: 2020-04-19 00:23:39 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8907d7c55452f1c5e46ce6de0561a4ae SHA-1: 21f9166702331eb084ef316cbd519812012f71ce SHA-256: 5fd3d19afa38a790b69f715297edf1264cdcd60f32134d850c9e39ed319b1560
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF file contains numerous embedded URLs, many of which are part of a link farm, suggesting a malicious intent to manipulate search engine results or redirect users to potentially harmful sites. The ML classifier also flagged this PDF as malicious. While no scripts were directly extracted, the presence of many external links and the 'Canon setup utility' lure indicate a phishing or spamming campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 0.7359

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://duncansimpsonassociates.com/uploads/1/3/0/6/130639977/130639977.html#canon+setup+utility
    • http://mooracrc.com/uploads/1/3/0/7/130776824/fexufavekive.pdf
    • http://limassolcoffeefestival.com/uploads/1/3/1/3/131379361/jatapawid-jetisixeg.pdf
    • http://goncaval.com/uploads/1/3/0/5/130547373/68e9e.pdf
    • http://vistum.fi/uploads/1/3/0/2/130288492/ponebi-susejozebefej.pdf
    • http://globalinvesther.org/uploads/1/3/0/5/130551241/fb59149742ab.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004620.bin
da8bf695b83ec6c14478af3a3cfcc8e2b0b233a34c22c5201fa290c5f6c901a9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4620 6304 bytes
font_01_sfnt_off00005f3e.bin
b7a400401c11f1784d764dbcd3183480444ea9d7048ef0984d03126aa224415b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F3E 45600 bytes
font_02_sfnt_off0000ebd7.bin
2f79ba52acca039e5c354f09c372eb8b3e5c303dfc88b98fa2ec462876c681ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEBD7 16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.