Malicious PDF — malware analysis report

Static analysis result for SHA-256 7031b348845aadca…

MALICIOUS

PDF

38.8 KB Created: 2020-04-03 17:46:11 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: b81310d2fe8c310492dd18d22ba6edb4 SHA-1: c0b3ba58d4244073ec209e53bb8bb85aa11d008b SHA-256: 7031b348845aadca8207e293b696f960b0b85ecd1f4ff3510057adb17b040d80
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. No scripts were extracted, but the sheer volume of outbound links suggests a high likelihood of malicious intent, possibly leading to further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bwsinvestments.com/uploads/1/3/0/9/130969065/130969065.html#tejido+cartilaginoso+hialino
    • http://etrelibre.com/uploads/1/3/0/4/130491513/45ba47151949a.pdf
    • http://jagkcapitalpartners.com/uploads/1/3/0/5/130589161/xufibipez-dodal.pdf
    • http://thefancybakery.com/uploads/1/3/0/6/130620782/faziwixenimutetigod.pdf
    • http://mickwallis.com/uploads/1/3/0/3/130324241/e080379d99168.pdf
    • http://pasadena-dogtraining.com/uploads/1/3/0/5/130588225/tipuwegobob-rotojivixinev.pdf
    • http://taliamariani.com/uploads/1/3/0/7/130776371/4508855.pdf
    • http://iamkingbagi.com/uploads/1/3/0/6/130620544/ad3da0f0c4f26af.pdf
    • http://mamabeingyoga.com/uploads/1/3/0/7/130740556/raxonogin-susutemilo-motunolujis.pdf
    • http://www.pastisfuture.org/uploads/1/3/0/6/130621223/lipim_luwebuvaxu_naludozap.pdf
    • http://rybranelectrical.ca/uploads/1/3/0/3/130323115/zejixojitok_babedetoxeviv_zirirokefofexiw.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006db8.bin
a9636963e12d5d426c5353986ca1130f9af19294c4c1071fd0d2b7c3dd1e0914		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DB8 8508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.