Malicious PDF — malware analysis report

Static analysis result for SHA-256 69b8ae2dfdcde19b…

MALICIOUS

PDF

37.2 KB Created: 2020-03-10 08:07:30 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b92149c6bbdf49a6c30a37fa9d26cf05 SHA-1: 4645e1b990ba194c1bb9624427cc9a256d412847 SHA-256: 69b8ae2dfdcde19b02f069b32268ec2de0c129279768fc9357217d29ce66f0b0
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many of which are structured as SEO link farms, suggesting a malicious intent to redirect users to potentially harmful content. The ML classifier strongly flagged this PDF as malicious, and the presence of external URIs further supports this assessment. No scripts were extracted, but the sheer volume of links indicates a high likelihood of a phishing or malware distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://dennis-bowen.pleasingfood.com/uploads/1/3/0/7/130775171/130775171.html#adobe+acrobat+xi+pro+macro
    • http://baobabtreestudio.net/uploads/1/3/0/2/130287317/e2daa2c3a.pdf
    • http://rachelpendergraft.net/uploads/1/3/0/3/130313087/xofiluxolojegukani.pdf
    • http://zilisrep.com/uploads/1/3/0/5/130540172/nebunob.pdf
    • http://startapper.com/uploads/1/3/0/6/130620930/tavunobivovib.pdf
    • http://lashed-by-lo.com/uploads/1/3/0/9/130969164/cce2912c43dd4.pdf
    • http://allriversidehomes.com/uploads/1/3/0/7/130775222/3295481.pdf
    • http://davebaskind.com/uploads/1/3/0/7/130739024/xojiwivuminur.pdf
    • http://www.oceanenergycharters.com/uploads/1/3/0/6/130620564/vutasojelibosim.pdf
    • http://nangginkui.com/uploads/1/3/0/4/130435834/gabikobu.pdf
    • http://clickpaydemo.com/uploads/1/3/0/7/130739200/425925b.pdf
    • http://www.winefest.ca/uploads/1/3/0/5/130541424/4266218.pdf
    • http://swearingenfamily.com/uploads/1/3/0/3/130379291/9a71d2.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069e9.bin
c1a04d167e9eac08575508322e07b1bbef8e97e785deab0bceb0c3668e754a58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69E9 7668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.