Malicious PDF — malware analysis report

Static analysis result for SHA-256 5fe4297ee55d34e9…

MALICIOUS

PDF

43.0 KB Created: 2020-04-08 07:07:12 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: f69bf843ecfddbae11b1d8ee272e382f SHA-1: 2fd82defd0b3bb204474532bc54b66f329ddcdef SHA-256: 5fe4297ee55d34e94da5a1d20cfcdde940a65c2fd0e0551e586a34b7f6fe5879
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1190 Exploit Public-Facing Application

This PDF file was flagged as malicious by an ML classifier and contains a large number of external links, many pointing to other PDF files. The document body contains obfuscated text and URLs, suggesting an attempt to manipulate search engine results or redirect users to malicious content. The primary attack pattern involves leveraging a large number of external links, likely to host or distribute further malicious payloads.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://newjerseyhomebuyerseminar.com/uploads/1/3/0/4/130436058/130436058.html#educacion+de+las+mujeres+mexicas
    • http://redwillowproductions.com/uploads/1/3/0/4/130436299/rokuroselumivipon.pdf
    • http://myspiritualpractice.com/uploads/1/3/0/7/130740591/6352503.pdf
    • http://willhawkbeats.com/uploads/1/3/0/3/130323097/wabemi.pdf
    • http://celebrateitevents.net/uploads/1/3/1/4/131406758/zakuziwigigisa_letezi_nonafotib.pdf
    • http://tradewindsoldfieldli.com/uploads/1/3/0/9/130970014/98acd66.pdf
    • http://rightathomeinspections.org/uploads/1/3/1/3/131380916/02729f5.pdf
    • http://adsl-65-71-85-34.lawsnakard.com/uploads/1/3/0/7/130775510/kuwopojapuwelukumono.pdf
    • http://excelsiorconstruction.us/uploads/1/3/0/8/130813588/8492287.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006aba.bin
419d3604ae4c6fcfc5045fb9893fe9a36e524ad4ee9471fde562aa792ae61a1c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6ABA 8200 bytes
font_01_sfnt_off000088f1.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88F1 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.