Malicious PDF — malware analysis report

Static analysis result for SHA-256 6c53931831bb0286…

MALICIOUS

PDF

50.3 KB Created: 2020-06-19 01:42:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 66f12a293a3059817adae6906262e358 SHA-1: 2cef0903c71967ce053b7b057f65dd90bb4fd9c2 SHA-256: 6c53931831bb0286b27706c4d7b24e7c9319ec6cc918e7fdda3c0dc10ad9502b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of external links, identified as a PDF link farm, suggesting a tactic to manipulate search engine results or distribute malicious content. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external URIs points towards a potential distribution or SEO poisoning campaign. No scripts were extracted, but the sheer volume of external links is highly suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://guarderobe.com/uploads/1/3/0/7/130739433/130739433.html#health+nervous+system+review+crossword+answers
    • http://the-high-vibe-tribe.com/uploads/1/3/0/3/130313243/fijadofuxurak_jivufokujova.pdf
    • http://fssgroup.org/uploads/1/3/0/5/130589452/siwapudaze.pdf
    • http://nudibranchartglass.net/uploads/1/3/0/9/130969819/9da60637c23.pdf
    • http://americangovernmentservices.com/uploads/1/3/0/6/130603740/7a49b2fc32df.pdf
    • http://dc-68aa63d31875.preferredagent.org/uploads/1/3/1/4/131406288/1934561.pdf
    • http://ntpsychologygroup.com/uploads/1/3/0/6/130640029/4546228.pdf
    • http://host160.carmichaelnl.com/uploads/1/3/0/8/130813577/numoxadulewivuxabuf.pdf
    • http://curefundraiserevents.com/uploads/1/3/0/3/130323154/denegules.pdf
    • http://midwestundergroundinc.com/uploads/1/3/0/2/130289291/padaf.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000088be.bin
5edec5b8dc9d9aa322ba43ca477b0030f0eb113b0e28917e5315e47a80d8d014		 pdf-font-stream PDF embedded font (sfnt) at offset 0x88BE 5276 bytes
font_01_sfnt_off00009a8d.bin
f78423b8f0fd047dc405f8beeb008b27695d42a15660dba615f991b7a3e831b3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A8D 10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.