Malicious PDF — malware analysis report

Static analysis result for SHA-256 6fb04d41a1b1dc5b…

MALICIOUS

PDF

37.9 KB Created: 2020-06-07 13:05:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2257606b605f8afa3ef71f850ebe718f SHA-1: e31f87941519ae4ea7e1ef6da2f3fbd91ecf3cf2 SHA-256: 6fb04d41a1b1dc5b6c9a6820d01a6b899f0398e6f955a855eb577466bd1395be
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of embedded external links, identified as a 'PDF_SEO_LINK_FARM' heuristic. The document body, though heavily obfuscated, also contains URLs pointing to external resources. These findings suggest the document's primary purpose is to redirect users to potentially malicious websites, possibly for phishing or malware distribution.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://o2ki0.bpmtc.com/uploads/1/3/1/8/131857847/131857847.html#mordenkainen%25E2%2580%2599+s+tome+of+foes
    • http://host247.powermaxusa.com/uploads/1/3/1/4/131483772/8438835.pdf
    • http://ourbloc.co/uploads/1/3/0/6/130604493/gerawu.pdf
    • http://lavenderbelle.co.nz/uploads/1/3/1/8/131857431/dutix-nebulivelunu-bamejanaju-vakomajeboza.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://saziwiri.files.wordpress.com/2020/06/juwovepifizosi.pdf
    • https://noratum.files.wordpress.com/2020/06/60027530870.pdf
    • https://lusotadefel.files.wordpress.com/2020/06/zarisos.pdf
    • https://koxowite.files.wordpress.com/2020/06/11318888729.pdf
    • https://vuremaxetil.files.wordpress.com/2020/06/61525120041.pdf
    • https://nodajap.files.wordpress.com/2020/06/40873736267.pdf
    • https://sifodupaw191158614.files.wordpress.com/2020/06/difesafomawovozu.pdf
    • https://lesovuwubek589461059.files.wordpress.com/2020/06/22627146982.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006471.bin
897b1729a44d71944953c179d442766684ccd486a09ebea482b0ab77d1d7eb84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6471 11144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.