Malicious PDF — malware analysis report

Static analysis result for SHA-256 72dd3a2c16d5cadc…

MALICIOUS

PDF

68.1 KB Created: 2020-03-20 02:40:21 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3f1c99f3d5b7f2e41f44183133ee1135 SHA-1: 9287e106de884f7cea0ca3bbc8d537f5dfc771f7 SHA-256: 72dd3a2c16d5cadc9afd3bc3e6273bc6a21c5f2a9b211e0d000324e28574571c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF document contains a large number of external links, identified as a link farm, which is a common tactic for SEO manipulation or distributing malicious content. The ML classifier strongly indicated maliciousness, and the presence of numerous URLs suggests an attempt to redirect users to potentially harmful sites. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tenminuteinspection.com/uploads/1/3/0/7/130775222/130775222.html#formula+para+obtener+el+area+de+un+triangulo+rectangulo
    • http://www.sparkcardgame.com/uploads/1/3/0/2/130271187/degixixoxexiri.pdf
    • http://pacantigua.twistwholesale.com/uploads/1/3/0/5/130589449/4966339.pdf
    • http://universityanesthesiology.com/uploads/1/3/0/2/130274076/4139657.pdf
    • http://college4everybody.com/uploads/1/3/0/6/130621024/gijigobe.pdf
    • http://www.heavygratitude.com/uploads/1/3/0/2/130272985/dafozuguxipo-funonivegojuf.pdf
    • http://www.sweaterface.com/uploads/1/3/0/8/130813403/5371417.pdf
    • http://shawnyamichaelscoaching.com/uploads/1/3/0/7/130775282/makufepelumuj.pdf
    • http://metrogovernance.com/uploads/1/3/0/4/130435813/2082471.pdf
    • http://www.gwc.basaltlibrary.org/uploads/1/3/0/6/130640033/geduz.pdf
    • http://4926libbeylane.com/uploads/1/3/0/6/130621516/8177866.pdf
    • http://ashish-jain.me/uploads/1/3/0/6/130603860/pufanu.pdf
    • http://josephdefeo.net/uploads/1/3/0/8/130874011/2573f3f6.pdf
    • http://themultifamilygroup.org/uploads/1/3/0/2/130287428/faa968f5.pdf
    • http://ts4hire.com/uploads/1/3/0/5/130551089/vezebusazanasogodeno.pdf
    • http://susannahscott.com/uploads/1/3/0/5/130545998/2138331.pdf
    • http://linux.thai.net/projects/fonts-tlwg
    • http://www.thaitux.info
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://www.adobe.com/).Noto
    • http://www.google.com/get/noto/http://www.adobe.com/type/This
    • http://scripts.sil.org/OFLNoto
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License
    • https://savannah.gnu.org/projects/freefont/
    • http://www.gnu.org/licenses/
    • http://www.gnu.org/copyleft/gpl.html

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ea1.bin
3449b32310059fb206733777eff0c42c8a1fc4923af0ea7d21382e3abec35fe3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EA1 13972 bytes
font_01_sfnt_off00008f21.bin
1d96429aa402e69f806d225ad4b5756fb5f4b88f61cbea1deb93ebe33a58f211		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8F21 12476 bytes
font_02_sfnt_off0000b69e.bin
695595e90fe1976e067c61d345d53ad0a308beb4940b9bde0adab2e9ecccfc0e		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB69E 5968 bytes
font_03_sfnt_off0000c9eb.bin
e2b69bb4f43f8cdc1464e09c0795b06634384065de0afb15ed7bc22c4d63bf52		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC9EB 18608 bytes
font_04_sfnt_off0000e764.bin
6204aa9299f811ffbadc12a84b46a780f3b457f30111006905f3318cdf84a256		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE764 8460 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.