Malicious PDF — malware analysis report

Static analysis result for SHA-256 707dd5177a1b7aef…

MALICIOUS

PDF

45.8 KB Created: 2020-04-09 11:41:39 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 879fc791ff4b42f5b033c468fb9f2bce SHA-1: 8642340467b7d8f9de26e07273da3ba166d1f234 SHA-256: 707dd5177a1b7aefeb1bf0b71ed7f1efb5c269754cf4ff65a74001f9b5070bdd
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of embedded URLs pointing to external PDF files across numerous domains. The heuristic 'PDF_SEO_LINK_FARM' strongly suggests this is a link farm, likely intended for SEO manipulation or to distribute malicious content. While no scripts were explicitly extracted, the nature of the embedded URLs and the ML classification indicate a malicious intent to redirect the user to potentially harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://debalm.net/uploads/1/3/0/5/130588395/130588395.html#right+place+wrong+face+questions
    • http://raahulramakrishnan.com/uploads/1/3/0/6/130620321/pisexukagoxol.pdf
    • http://tabi-brose44.com/uploads/1/3/0/6/130603740/tafebutikegug_regijasinala.pdf
    • http://prc-construction.com/uploads/1/3/1/0/131069910/lelur-fuwimive.pdf
    • http://pridestoneconsulting.com/uploads/1/3/0/5/130539084/65b151a.pdf
    • http://omahafoodguide.com/uploads/1/3/0/4/130476429/9563921.pdf
    • http://ansorbanserpackedungjati.com/uploads/1/3/0/7/130738636/4922969.pdf
    • http://tjkirk.net/uploads/1/3/1/0/131071041/tugemurimuwedi.pdf
    • http://recordmaloneestate.com/uploads/1/3/0/3/130323301/61125bc00cdfce.pdf
    • http://immigrantbuttonproject.com/uploads/1/3/0/7/130776730/donarodovaxogo_lezim_vazov_fajok.pdf
    • http://vo-vin.com/uploads/1/3/0/9/130969607/teloberijagepa.pdf
    • http://daisyeco.mobi/uploads/1/3/0/3/130313766/fekasise.pdf
    • http://veterantransition.xyz/uploads/1/3/1/0/131070407/73d8f0b0eb6acd4.pdf
    • http://mari-ellenphotography.com/uploads/1/3/0/3/130313274/nemarazomon.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ad5.bin
4ff5a040d4aa6a1ffbf7a9cb720e12846ad908d2fec309c67dbaca5cc2f17d04		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AD5 8396 bytes
font_01_sfnt_off00009b15.bin
885781ec91db75dc8c4a6a3d3dac0324bdfdb8f2239dab70466c62035ae072da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9B15 4144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.