Malicious PDF — malware analysis report

Static analysis result for SHA-256 60d4f6f8b526c4fe…

MALICIOUS

PDF

41.6 KB Created: 2020-06-19 01:40:49 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 0665d6d9a9912d6353bcf9b078f81765 SHA-1: 9d97d9c36ccdb245ef0d454ec11dba1b2a03599b SHA-256: 60d4f6f8b526c4fed8590d894974dbf2d81325c6230cd324b5780a61ffa32315
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a method to distribute malicious content. The ML classifier also strongly indicated maliciousness. No scripts were extracted, but the presence of numerous external URLs is a strong indicator of a malicious intent, likely to redirect users to phishing or malware hosting sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://shallop40.pleasingfood.com/uploads/1/3/0/6/130603905/130603905.html#american+journey+modern+times+textbook+online
    • http://theeshaundonexperience.com/uploads/1/3/0/6/130604515/2218139.pdf
    • http://urbanintrigue.com/uploads/1/3/0/2/130289244/322653.pdf
    • http://stylebecause.com/uploads/1/3/0/5/130539849/bizifewadu_rulodamagomiju_demegufixi.pdf
    • http://mta-sts.hopeak.org/uploads/1/3/0/3/130379611/mavapa.pdf
    • http://jthamericanstudies.com/uploads/1/3/1/1/131164012/fuxul-litokup.pdf
    • http://admin.norfolkhumanists.com/uploads/1/3/0/6/130621717/8847606.pdf
    • http://pairedupraleigh.com/uploads/1/3/0/5/130544703/4230107.pdf
    • http://postersandart.ca/uploads/1/3/1/6/131636781/tufekoboligu-pitekufelexara.pdf
    • http://gmlocksmiths.com/uploads/1/3/0/5/130547215/4054176.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006232.bin
79f73ba35298436a45cdaa5d07e48c8975fefacda68d1fe0db36502b05496283		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6232 5404 bytes
font_01_sfnt_off0000747a.bin
04f6dd2723036b69e36e0d9033bdd8c94463234ae3900e8e3622776f978259fe		 pdf-font-stream PDF embedded font (sfnt) at offset 0x747A 11740 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.