Malicious PDF — malware analysis report

Static analysis result for SHA-256 760993033570fd01…

MALICIOUS

PDF

44.2 KB Created: 2020-03-21 18:04:37 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9ae007cc224d2c1cfcac60c8e6a77322 SHA-1: db626e4c9545830734b51b01aca0f17bcccc8657 SHA-256: 760993033570fd014ac31d718c7c0158252cc596a491c76139ea368db2a3f82d
116 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The document contains a callback phishing lure, instructing the user to contact a number for issues related to billing or subscription, which is a common social engineering tactic. The PDF also contains a large number of external links, suggesting it may be part of a link farm or used to distribute further malicious content. No scripts were extracted, but the ML classifier strongly indicated maliciousness.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns. Suppressed for legitimate-issuer (IRS/gov/official-form) documents that carry no urgency or charge/dispute escalation.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://atyourservicehvac.org/uploads/1/3/0/6/130620929/130620929.html#how+to+apply+for+ihss+protective+supervision
    • http://musicenvironment.com/uploads/1/3/0/7/130738637/dasivu.pdf
    • http://ssh2019.info/uploads/1/3/0/5/130539820/vovipodekejav.pdf
    • http://soloncentergallery.org/uploads/1/3/0/5/130551072/7362006.pdf
    • http://sahasralankayoga.com/uploads/1/3/0/9/130969548/tidumolowebubeziloni.pdf
    • http://nwm6.club/uploads/1/3/0/7/130775032/b60d257da7e2a41.pdf
    • http://mail.puraveeda.com.au/uploads/1/3/0/7/130739490/nogogagew_wosubobeto_tiporop.pdf
    • http://hazzamgroup.com/uploads/1/3/0/4/130476563/546596d.pdf
    • http://juz-living.com/uploads/1/3/0/6/130639233/sanubodixogojaxum.pdf
    • http://www.pdxpremierinspections.com/uploads/1/3/0/5/130590279/4250754.pdf
    • http://www.bydbyem.com/uploads/1/3/0/5/130544823/lonanofalofofap.pdf
    • http://andersoncapsim.com/uploads/1/3/0/4/130476597/rasidad.pdf
    • http://demitrydevelopment.com/uploads/1/3/0/4/130483939/gelirige-xigipi-fozoxuri-tomasafidunopu.pdf
    • http://nectr.ca/uploads/1/3/0/5/130543087/wigexoxeka.pdf
    • http://maison-bois-hietala.com/uploads/1/3/0/3/130379341/f0817e.pdf
    • http://kohicorgi.com/uploads/1/3/0/6/130621527/vipanepepavudajexenu.pdf
    • http://dev.carothersinsurance.com/uploads/1/3/0/7/130738716/virajigobikije-joriz-jitudetejema.pdf
    • http://coloradohgl.com/uploads/1/3/0/7/130738720/sokenewotugeme_wivosu_padezikawoku.pdf
    • http://bryantcondrey.com/uploads/1/3/0/3/130313784/8970866.pdf
    • http://inkling-english.com/uploads/1/3/1/0/131070331/murezulejatek.pdf
    • http://northbeavercontracting.net/uploads/1/3/0/3/130379248/dobadi_gibutifen_zajeluzupebe_mogoritifu.pdf
    • http://volleyballanalytics.org/uploads/1/3/0/5/130543771/9726969eea4cc8.pdf
    • http://mta-sts.mx.loriprecious.com/uploads/1/3/0/2/130291536/gipesakigumibeg.pdf
    • http://elyaqui69.com/uploads/1/3/0/2/130273799/2133652.pdf
    • http://evclothingco.com/uploads/1/3/1/0/131070186/vologamofimosilosu.pdf
    • http://soltricityonline.com/uploads/1/3/1/0/131070485/supakodofuzav.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000083b9.bin
53d0cf1a635172bc8fd3ab484b35c43aef2b92932380ae7f8a0d6a9f723808c7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x83B9 8008 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.