Malicious PDF — malware analysis report

Static analysis result for SHA-256 6201c3b290408b7b…

MALICIOUS

PDF

42.1 KB Created: 2020-04-07 20:15:49 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 483aab6fe3a01d135b2c27cac065d4b8 SHA-1: def28c3fabaf0c219196df85ab80e0f4efd5e068 SHA-256: 6201c3b290408b7b468d881470ada38ff6b81129ec1cc2c4840c18d753981e4a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs pointing to external PDF files and HTML pages across various domains. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this is a link farm, likely intended for SEO manipulation or to distribute malicious payloads. While no scripts were explicitly extracted, the presence of many external links and the ML classifier's high confidence indicate malicious intent, possibly involving the exploitation of PDF vulnerabilities or social engineering.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ingutenhaenden.net/uploads/1/3/0/7/130739755/130739755.html#himnos+sud+en+espanol
    • http://kaizenmarket.com/uploads/1/3/0/6/130639313/1d9c726fa54b6c.pdf
    • http://theempanadaladymaui.net/uploads/1/3/0/5/130543536/rubevinuda_varegakil_mibopose_tobiz.pdf
    • http://rammefix.no/uploads/1/3/0/4/130488924/6332303.pdf
    • http://o2mengineering.com/uploads/1/3/0/5/130588659/e1a3962b86aaaad.pdf
    • http://txschoolchoicerally.com/uploads/1/3/0/4/130476814/bobezatupe.pdf
    • http://brandon3d.com/uploads/1/3/0/7/130739117/3e9558e3c5a6.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000651b.bin
eaa8c9aedae7c28ebf2847342acf92a2e07f674760d6d8cd87dfb4ef8734b8c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x651B 9020 bytes
font_01_sfnt_off0000859a.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x859A 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.