Malicious PDF — malware analysis report

Static analysis result for SHA-256 7325e3367acbadbb…

MALICIOUS

PDF

39.4 KB Created: 2020-04-16 17:01:52 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 96a6992706595f466442b6c5d61336b0 SHA-1: c003c1540c2aaaede752806c8fb95b4a1aeb1697 SHA-256: 7325e3367acbadbbb9fd389c2b7df17b8364f23399d64eb1cdbcc3b9e85e3fc7
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript T1203 Exploitation for Client Execution

The PDF contains numerous embedded URLs that point to external websites, many of which are structured as link farms. The ML classifier and heuristic firings strongly indicate malicious intent, likely to redirect users to phishing sites or download further malware. The presence of embedded URLs and the structure of the document suggest it's part of a broader campaign to distribute malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9983

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://elevatedcbdaustin.com/uploads/1/3/0/7/130738565/130738565.html#worx+pole+saw+instruction+manual
    • http://equineiridology.org/uploads/1/3/0/6/130604226/ribovanowozonakor.pdf
    • http://danscentrumnorr.com/uploads/1/3/0/6/130621279/c6e420.pdf
    • http://thescurlockgroup-promo.com/uploads/1/3/0/5/130543598/donelagorudirame.pdf
    • http://allstarcreditrepair.com/uploads/1/3/0/2/130289466/3121413.pdf
    • http://livmaclake.com/uploads/1/3/0/5/130551562/kedefupa.pdf
    • http://halkidikitours.net/uploads/1/3/1/4/131437099/didezubativ_tegowemimoze_gibedanigaz_bumegawasebom.pdf
    • http://geckoholic.store/uploads/1/3/0/2/130289163/7715274.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007243.bin
52cf0f9ce4b1badd2eb3939056bf7bac1578f68b5a923decf405a9f4f5de8b57		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7243 8264 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.