Malicious PDF — malware analysis report

Static analysis result for SHA-256 66c33a60e5e23074…

MALICIOUS

PDF

58.9 KB Created: 2020-05-16 09:33:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 4c933c47de77dec582053b6e5a6c3657 SHA-1: 992631610d286f831ed229ad0df991926d664c90 SHA-256: 66c33a60e5e23074e56e900af701f4c4fa13ba79794fb6c9811a20488967f192
156 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a lure for recovery secrets, likely aiming to phish credentials. It embeds a large number of external links, many of which point to PDF files hosted on similar domains, suggesting a link farm or content distribution network for malicious payloads. The ML classifier strongly indicated maliciousness, and the document body, though obfuscated, contains references to 'Secure shell ssh' and numerous URLs.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Recovery secret / private key request critical SE_SECRET_RECOVERY_LURE
    Document requests recovery phrases, private keys, backup codes, or saved passwords. Requests for these secrets in a document are high-risk.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rebeccalaplacaattia.com/uploads/1/3/0/5/130550928/130550928.html#secure+shell+ssh
    • http://ienrichment.net/uploads/1/3/0/9/130969249/zigas.pdf
    • http://tcibrokerage.net/uploads/1/3/1/4/131437640/wopazadefej.pdf
    • http://zihuatanejo-penthouse.com/uploads/1/3/1/3/131381497/20456cc593b7.pdf
    • http://norilapals.com/uploads/1/3/0/8/130813934/6203187.pdf
    • http://traffic-jamz.com/uploads/1/3/0/6/130620353/3a6e64e67b951a.pdf
    • http://travelnizo.com/uploads/1/3/0/8/130873914/2536351.pdf
    • http://northcontinent-aviation.net/uploads/1/3/1/3/131383953/jetonebuneza.pdf
    • http://becfordyce.com/uploads/1/3/0/5/130589385/wetafogupobojivezo.pdf
    • http://oc-tutoring.com/uploads/1/3/0/8/130874403/peserexonegot_wuramam_jebim.pdf
    • http://rockymtnfirepro.com/uploads/1/3/0/3/130379069/281bec.pdf
    • http://nielsnagtzaam.nl/uploads/1/3/0/6/130620833/nasatiwolotumu.pdf
    • http://saharaaindustries.com/uploads/1/3/1/3/131381376/makipenuvavi-kutezagi-refofok.pdf
    • http://linksofpearls.com/uploads/1/3/0/7/130775515/fudure.pdf
    • http://globalreformasemcuritiba.com/uploads/1/3/0/6/130621641/tejarinoz.pdf
    • http://janeahtaylor.com/uploads/1/3/0/4/130483273/664fcee1e08.pdf
    • http://huronvillas.com/uploads/1/3/0/4/130488934/fafufezawep-vimafu-zamim-taganuz.pdf
    • http://dcgardeningservices.com/uploads/1/3/1/0/131070420/dulekutanifawox.pdf
    • http://jessicakinnison.com/uploads/1/3/0/9/130969346/0300dbdce0c97.pdf
    • http://deannamarcellino.org/uploads/1/3/0/2/130287815/zonabegireruruxu.pdf
    • http://uclaprisoned.org/uploads/1/3/0/7/130739781/silota-bepuzukuzuri-kujowe-dakubip.pdf
    • http://diasporamalivoice.com/uploads/1/3/0/7/130776571/4308828.pdf
    • http://bethmorrissey.com/uploads/1/3/1/1/131163865/kavasol.pdf
    • http://amslibrary.com/uploads/1/3/1/3/131383651/dejuxizovigezig.pdf
    • http://mccormickreliance.com/uploads/1/3/0/7/130740256/1991066.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b8e9.bin
6a89187129bfff5f4e7deba46b3b9f735a7f915c9fb4beb66e9c910de0b2affd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB8E9 11368 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.