Malicious PDF — malware analysis report

Static analysis result for SHA-256 70c2d5c4a821c349…

MALICIOUS

PDF

35.9 KB Created: 2020-04-04 12:11:58 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 681e500e7cf240418824a9d02589681b SHA-1: 7009d431267d3d7569885ea4ab112f601ce7c264 SHA-256: 70c2d5c4a821c349d3847f81629a0a4e2ddc217dd4cba5e0fa0cf600c805a90a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded external links, a technique often used for SEO spam or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the suspicious linking behavior. No scripts were extracted, but the sheer volume of links suggests an attempt to drive traffic to potentially compromised or malicious web pages.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mentorshipprogram.org/uploads/1/3/0/5/130542734/130542734.html#que+son+las+notas+debito+y+credito+bancarias
    • http://pdxeventsource.com/uploads/1/3/0/5/130590356/6837989.pdf
    • http://stephanielatella.net/uploads/1/3/1/4/131454352/lulugifofawofe.pdf
    • http://ccsdcelebrates.com/uploads/1/3/0/3/130313702/3a44ad58765.pdf
    • http://jmcounselingsolutions.com/uploads/1/3/0/5/130539987/zijusesevafumo.pdf
    • http://3d-knowledge.com/uploads/1/3/0/3/130313632/9737581.pdf
    • http://salveit.com/uploads/1/3/0/5/130543333/nebegu_kasuxodugotebel_pagekuwo_sojezop.pdf
    • http://hlsinc.net/uploads/1/3/0/4/130476161/8627765.pdf
    • http://funksoul.org/uploads/1/3/0/7/130739256/2193368.pdf
    • http://islascookviajes.com/uploads/1/3/0/2/130287285/nivapikugidom-vanupimi-fixufop-jiwupigu.pdf
    • http://loyaltyconstructionstl.com/uploads/1/3/0/3/130323253/ac586465462a8f.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062a4.bin
83fb9c10ece02a7222868cb5090192a95900a54339fae9fecf0b74018fd5b9ab		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62A4 8292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.