Malicious PDF — malware analysis report

Static analysis result for SHA-256 769e286cb5831ec6…

MALICIOUS

PDF

47.8 KB Created: 2020-03-09 11:01:59 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 21299a3b54678941e3a166f973cd77a7 SHA-1: ece9713172799d4eb12276cd1c2b1793cdf55ada SHA-256: 769e286cb5831ec6559fcc3cf394b5a6877d48c26a039ad2156d4b30ca849392
104 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which appear to be part of a link farm designed to artificially inflate search engine rankings. The document's content, though partially obfuscated, includes a URL that suggests a lure related to 'benefits of activity based costing in healthcare'. The presence of a PDF SEO link farm heuristic indicates a malicious intent to redirect users to potentially harmful content or facilitate further exploitation. No scripts were extracted, but the structure suggests a malicious document intended to deliver users to a network of linked sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Fake invoice / payment lure low SE_INVOICE_LURE
    Document contains invoice or payment language paired with an action verb — useful context when combined with link, macro, or attachment indicators
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://maxmiddleton.studio/uploads/1/3/0/4/130489563/130489563.html#benefits+of+activity+based+costing+in+healthcare
    • http://otelhosp.com/uploads/1/3/0/2/130274322/bakinipabemaxaw.pdf
    • http://theinnonsilverlake.com/uploads/1/3/0/6/130620843/wimelevud.pdf
    • http://www.kylinelsonteaching.com/uploads/1/3/0/5/130542977/gejumu_xefugisax_rewebovimi_xefifibek.pdf
    • http://studio1999.shop/uploads/1/3/0/6/130604872/tules-kizokiligawix-jirinepol.pdf
    • http://mentalhealthyouthteacher.com/uploads/1/3/0/2/130289467/nadevu.pdf
    • http://clapchatlaughaskpray.net/uploads/1/3/0/7/130775031/dfce8d1cf246c0.pdf
    • http://airmartservices.ca/uploads/1/3/0/6/130604824/rolumiwavufigo.pdf
    • http://my-closet-online.com/uploads/1/3/0/6/130621487/sizuvonatijijuxufep.pdf
    • http://matajagad.com/uploads/1/3/0/7/130776096/suvokuxorazupof.pdf
    • http://polytrontechnology.com/uploads/1/3/0/7/130776263/pavasifexidosokil.pdf
    • http://rencommunicatons.com/uploads/1/3/0/6/130621022/gixaserojabetip-patopu.pdf
    • http://www.vegastourstop.com/uploads/1/3/0/4/130483986/divijofawekotiv.pdf
    • http://smeta.org/uploads/1/3/0/8/130874253/gotagewuv-toguj-bavewi.pdf
    • http://naturalhealthexpo.ie/uploads/1/3/0/6/130620700/7216105.pdf
    • http://www.michaelmoreaudesign.com/uploads/1/3/0/7/130776041/213707.pdf
    • http://baijinguojiyulechengdaili.br3h.com/uploads/1/3/0/4/130490977/fowafegatofivima.pdf
    • http://diasporawearuk.co.uk/uploads/1/3/0/6/130605248/a87d61a6d8.pdf
    • http://berardinotherealtaste.com/uploads/1/3/0/6/130621059/govibobabu.pdf
    • http://theblueandgreennews.com/uploads/1/3/0/4/130488616/rugugo-lejolib-kowofiropata-febipem.pdf
    • http://www.fireflyfinishes.com/uploads/1/3/0/5/130588786/3567975.pdf
    • http://www.thepixelshelf.com/uploads/1/3/0/5/130551671/2935865.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000092ca.bin
02d5405cf87b05045891efe48c60973795f6ee9846fc9489265c82b16ee47d58		 pdf-font-stream PDF embedded font (sfnt) at offset 0x92CA 7292 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.