Malicious PDF — malware analysis report

Static analysis result for SHA-256 6bf956cb7ab00d2c…

MALICIOUS

PDF

36.6 KB Created: 2020-03-13 08:18:30 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 003bd151343f180a4218a54b7898839d SHA-1: a8a50da9f25ade3b3aebf14529dc41aeed684e9f SHA-256: 6bf956cb7ab00d2cc99c4a65a9f744d76817ae2645a5ec393c004af1b1a7e0b3
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded URLs, many of which are part of a link farm designed to manipulate search engine results. The document body, though heavily obfuscated, contains a URL that points to a page also claiming to offer 'iota amharic bible free software'. This suggests a lure to drive traffic to potentially malicious or spam-related websites. No scripts were extracted, but the PDF structure and embedded links are indicative of a malicious SEO spam campaign.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://4pwcrv.bdgct.com/uploads/1/3/0/6/130621782/130621782.html#iota+amharic+bible+free+software
    • http://chinesebakery.co.uk/uploads/1/3/0/5/130588188/8a6e030e4fcb.pdf
    • http://festivalsmattermoore.com/uploads/1/3/0/5/130588899/f32ca.pdf
    • http://adnmodels.com/uploads/1/3/0/8/130814761/2968568.pdf
    • http://tpropsg.com/uploads/1/3/0/8/130813427/2482282.pdf
    • http://bluewingstudio.com/uploads/1/3/0/7/130776006/jenaluva.pdf
    • http://alaskatravelconcierge.com/uploads/1/3/0/5/130588427/gepixemagewofa-titoxitaw.pdf
    • http://camilamcnemar.com/uploads/1/3/0/3/130313346/bafitorinolako_zixozaboz_niwimujejajogi_matixawetivafem.pdf
    • http://daytonconcretecontractors.com/uploads/1/3/0/7/130739225/wujaz.pdf
    • http://www.mysfcoach.com/uploads/1/3/0/2/130289745/javotalinesed.pdf
    • http://cryptothermal.com/uploads/1/3/0/5/130544898/jetisupibiranuf-wavarutaxasarat.pdf
    • http://chicagonightlifepass.com/uploads/1/3/0/8/130813497/4015e43b01e60cc.pdf
    • http://prettycharmedcraftkits.com/uploads/1/3/0/5/130545484/65366173b93026.pdf
    • http://trumanssociology.com/uploads/1/3/0/5/130538925/c7f91b7ca7cf906.pdf
    • http://crewbazaar.com/uploads/1/3/0/4/130491008/6293ace51e0a79.pdf
    • http://parkcityshuttlecompany.com/uploads/1/3/0/8/130813461/budob-kopujoreparux-zomujekegifuzar-daseza.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000652e.bin
048bf5bacdc831df37eb4dc749db11c3d19d28c8224bae6af9f33325c93888ca		 pdf-font-stream PDF embedded font (sfnt) at offset 0x652E 8248 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.