Malicious PDF — malware analysis report

Static analysis result for SHA-256 6f095cafd22b9b1e…

MALICIOUS

PDF

40.8 KB Created: 2020-04-11 11:26:59 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b719d4d96910b1514ac4d2f33df15123 SHA-1: f4cbe12f59af16c749f21f3bd0464d98a926da54 SHA-256: 6f095cafd22b9b1e4f25299991f26f20f2a99f4a2bdf16e0fa281872365a1dbd
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous links to external websites, many of which appear to be part of a link farm designed to manipulate search engine results. The ML classifier strongly indicated maliciousness, and the presence of a 'Maplestory character cards' lure suggests a phishing or scam attempt. While no scripts were directly extracted, the PDF structure and extensive external linking are indicative of malicious intent, likely to redirect users to malicious content or phishing pages.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9979

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thegivingend.com/uploads/1/3/0/7/130776295/130776295.html#maplestory+character+cards
    • http://sunbuiltconstruction.com/uploads/1/3/0/2/130272281/noxogujok_rabogigilejuj_nusumoxetozike_zisatariwupon.pdf
    • http://sciencemomsdoc.com/uploads/1/3/0/6/130603851/wogixufagez_fapabote_gulapigago.pdf
    • http://hydrahaircare.org/uploads/1/3/0/7/130738991/ad9d3.pdf
    • http://handymanservices.info/uploads/1/3/0/2/130288710/rubulidajoz_nizagasexufole_busopekube_pegokokozibikab.pdf
    • http://scentmagicbypam.com/uploads/1/3/0/6/130605416/e4731d05215.pdf
    • http://blairbusbee.com/uploads/1/3/1/0/131069987/judezeruxemib.pdf
    • http://nathansonnenbergresume.com/uploads/1/3/0/2/130270914/fewaxulopetik.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007785.bin
63577fa3d09ada76a2d88702e7b23aeaf4fa2abc6674349e27476c39b7594a0b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7785 8384 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.