Malicious PDF — malware analysis report

Static analysis result for SHA-256 6608eab9bc15ce8c…

MALICIOUS

PDF

37.9 KB Created: 2020-03-09 05:41:06 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 25793347e3d02412c2057a641326d4ea SHA-1: be58e49732f46ac79326693071ee3c3d35683805 SHA-256: 6608eab9bc15ce8cc3fc77146f862338c9feca67bd7e11a2f1afd616e15d097d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded external links, a technique often used for SEO spam or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. No scripts were extracted, but the embedded URLs are the primary indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lmi7fs.salon225.com/uploads/1/3/0/8/130874691/130874691.html#shunt+trip+breaker+wiring+diagram+schneider
    • http://hostmaster.takst-huset.com/uploads/1/3/0/3/130313235/dugibidakaguki.pdf
    • http://preservetheriverwalk.com/uploads/1/3/0/4/130492127/foruludiwa.pdf
    • http://kcdermodywriter.com/uploads/1/3/0/5/130589009/wajatudonuleno.pdf
    • http://risesportscast.com/uploads/1/3/0/7/130775644/fijikubope.pdf
    • http://74-123-77-18.mgwnet.com/uploads/1/3/0/7/130776619/pezosaku.pdf
    • http://kokoclothing.com/uploads/1/3/0/7/130739875/laminisawan.pdf
    • http://biglittletaco.com/uploads/1/3/0/3/130313198/0d85a.pdf
    • http://www.fitlabproject.com/uploads/1/3/0/7/130739549/xinofokezaxevemo.pdf
    • http://bettereditor.net/uploads/1/3/0/4/130483351/b1e8ace5a.pdf
    • http://yaggaradio.com/uploads/1/3/0/8/130813582/1472182.pdf
    • http://autodiscover.lilhandsbigdreams.com/uploads/1/3/0/5/130588685/7750832.pdf
    • http://escaperoomtysonscorner.com/uploads/1/3/0/8/130874305/6f9b2e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d64.bin
b4b25218c4cbd20f022a3ed323aaa93d5fb2ef2e9c12a77facf35028dfbba9da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D64 7400 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.