Malicious PDF — malware analysis report

Static analysis result for SHA-256 644ea6e07bf5f7c1…

MALICIOUS

PDF

72.5 KB Created: 2020-04-01 14:12:00 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: f7c342a090f19680f045bcb3d7be0fca SHA-1: c6dc3ed5b17a7f6d262ffe3a9504de6331a75d0a SHA-256: 644ea6e07bf5f7c1cef5bfff380825fddf801653fbcccd547dc3db679999f925
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

This PDF document contains a large number of embedded external links, identified as a PDF link farm. The primary purpose appears to be SEO manipulation or to serve as a distribution point for other malicious content. While no scripts were explicitly extracted, the presence of numerous external links and the ML classifier's high confidence suggest a malicious intent to redirect users to potentially harmful sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://madelinemccollum.com/uploads/1/3/0/7/130775927/130775927.html#como+hacer+una+conclusion+para+ensayo
    • http://digitalbizzness.com/uploads/1/3/0/4/130483540/wunaso.pdf
    • http://aleclovett.com/uploads/1/3/0/5/130551456/4642521.pdf
    • http://matthewakrispin.com/uploads/1/3/0/2/130288455/vajelexibe_kefasaxunaz.pdf
    • http://cmdifferent.com/uploads/1/3/0/6/130603828/0bacd3414c02.pdf
    • http://gonzoflores.com/uploads/1/3/1/4/131438563/3800003.pdf
    • http://lentzarquitectura.com/uploads/1/3/0/6/130639656/cf14a81fbfe00e7.pdf
    • http://tjrides247.com/uploads/1/3/1/0/131070371/lolarozofadijoju.pdf
    • http://tococapitalventures.com/uploads/1/3/0/4/130436163/nudano-razigadided-wobikumeguzeto.pdf
    • http://ajhamdani.com/uploads/1/3/0/5/130589244/3892460.pdf
    • http://everythingcpap.net/uploads/1/3/0/6/130621382/1502027.pdf
    • http://tenderlovesl.net/uploads/1/3/0/4/130476853/rosuvekajudavilegev.pdf
    • http://tianyuzhao.com/uploads/1/3/1/3/131382595/binibojovoxabake.pdf
    • http://trinitywomeninitiative.org/uploads/1/3/0/4/130483294/vowojijeso-nukek-bufejobefuwu.pdf
    • http://vermillionareaartscouncil.com/uploads/1/3/0/3/130379332/kumuvejal-gefovi-japusapifuvuba-ligujuf.pdf
    • http://stfrancisriorancho.org/uploads/1/3/0/7/130775961/rukupokesabebofiniza.pdf
    • http://mayyeebaobao.com/uploads/1/3/0/2/130272330/pefutemumuz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000db61.bin
441e0314b6197f3547a230df11f81943a32d34c691d528c2fffb64ef1d239529		 pdf-font-stream PDF embedded font (sfnt) at offset 0xDB61 9608 bytes
font_01_sfnt_off0000fdae.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xFDAE 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.