Malicious PDF — malware analysis report

Static analysis result for SHA-256 7694dc6b7a007948…

MALICIOUS

PDF

38.6 KB Created: 2020-04-03 10:59:30 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3a05bb7c530461fa431df6cfad2d9be4 SHA-1: 15392c9fa8a863ab1c2ee9e474958a9aa4382292 SHA-256: 7694dc6b7a00794863f99467ca7a17793f4f107f3f03e86cdfa89def3dc63256
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, a technique often used for SEO spam or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. While no scripts were explicitly extracted, the embedded links are the primary indicators of malicious intent, likely serving as a distribution mechanism for further compromise.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://highfieldproperty.org/uploads/1/3/1/4/131406649/131406649.html#troy+bilt+pressure+washer+2800+psi+2.3+gpm
    • http://amazinggrapevine.com/uploads/1/3/0/7/130740514/177cb9c0.pdf
    • http://ridiculousredtails.com/uploads/1/3/0/5/130551253/finovunob_libuwuzit_borutunod.pdf
    • http://carefullyplannedsolutions.com/uploads/1/3/0/5/130544138/1c8bbf3494a2.pdf
    • http://saintchopraguide.com/uploads/1/3/0/6/130604860/kifiwujunopurarokivi.pdf
    • http://icbdforme.ca/uploads/1/3/0/5/130540642/jenekiziz.pdf
    • http://kayescountrycreations.com/uploads/1/3/1/3/131380688/wexazomitil.pdf
    • http://oaklandauthentic.com/uploads/1/3/1/4/131407067/punepejabubize.pdf
    • http://premiumprocessing.net/uploads/1/3/0/5/130545985/nituwuvo.pdf
    • http://hismaidservant.com/uploads/1/3/0/6/130622038/7b70929f7b02f.pdf
    • http://agendaone.org/uploads/1/3/1/3/131382148/tukovonamesegugatig.pdf
    • http://www.turningheadsdesign.com/uploads/1/3/0/5/130551641/75d715096.pdf
    • http://tejontech.com/uploads/1/3/0/7/130739032/2349500.pdf
    • http://inspirationalnovels.org/uploads/1/3/0/7/130739897/4f8bf42bcc60a.pdf
    • http://romymon.com/uploads/1/3/0/6/130639329/6925805.pdf
    • http://trump2020wristband.com/uploads/1/3/1/4/131455275/lesozorixewimezewi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006afc.bin
b7a44a7f6776b04021ae65c998067df132622da8c8db2dcfc5986738a70f51a0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AFC 8432 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.