Malicious PDF — malware analysis report

Static analysis result for SHA-256 6181f06d58002554…

MALICIOUS

PDF

31.1 KB Created: 2020-04-15 17:30:50 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 893df826ae850e83cae1fb74ceb29c88 SHA-1: 50f1ad88ffb78f572d11d9ebe7d0240765c93fd7 SHA-256: 6181f06d580025541f5a42ec7990a4f5bcddd05de481635216d100b9079c1e9e
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF files hosted on similar domains. This suggests a link farm or SEO manipulation tactic, potentially used to distribute malicious content or pages. The heuristic 'PDF_SEO_LINK_FARM' strongly indicates this malicious intent. While no scripts were directly extracted, the presence of numerous external links and the ML classifier's high confidence score support a malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • QR-code redirect lure medium SE_QR_LURE
    Document instructs the user to scan a QR code with a phone — consistent with QR phishing, but also common in legitimate documents
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://artopath.com/uploads/1/3/0/2/130270945/130270945.html#ip+camera+installation+guide+pdf
    • http://tatumsdessert.com/uploads/1/3/0/5/130544295/65a3b906.pdf
    • http://elitedoorla.com/uploads/1/3/0/5/130545557/4566555.pdf
    • http://nancythedatingdiva.com/uploads/1/3/1/4/131438788/725868.pdf
    • http://1stchoicefloristryevents.com/uploads/1/3/1/0/131070071/kidolig-pelagagimes.pdf
    • http://newageoflight.com/uploads/1/3/0/5/130588906/ziworetiwopuv.pdf
    • http://youngpeacemakerscamp.com/uploads/1/3/1/4/131453896/dad94.pdf
    • http://saksfive.com/uploads/1/3/0/4/130435751/xadege.pdf
    • http://cleanoutcavalry.net/uploads/1/3/1/4/131453960/3262600.pdf
    • http://estructurasjvimart.com/uploads/1/3/0/6/130639802/530dcbc40.pdf
    • http://kathleenwebercoaching.com/uploads/1/3/1/0/131070895/1084169.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000053a5.bin
3be3fab131fe8f3a4a1d8ccf97322acc056e557ded568e856dd55ad9516d2fc0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x53A5 7396 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.