Malicious PDF — malware analysis report

Static analysis result for SHA-256 77197810a710efc5…

MALICIOUS

PDF

25.2 KB Created: 2020-05-01 12:07:27 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 371506e03cf9458f6a75c14d6b7b0269 SHA-1: 986e1bb77c90e891bdb8e542daa5dea0034e1fed SHA-256: 77197810a710efc58daf9d50fb63d0e1d1697ea69f6da422c5a24914cea11f38
94 Risk Score

Malware Insights

MITRE ATT&CK
T1599 Information Gathering: Subdomain Acquisition T1204 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body, though heavily obfuscated, contains references to these URLs. This behavior is consistent with a link farm or SEO spamming technique, potentially used to distribute malicious content or manipulate search engine rankings. No scripts were extracted, and the primary malicious activity observed is the extensive linking.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9973

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pinballalley.ca/uploads/1/3/0/7/130738629/130738629.html#chirutha+cinema+songs+ing+telugu
    • http://girlycrew.com/uploads/1/3/0/9/130969226/df15b915.pdf
    • http://emmanderson.com/uploads/1/3/1/4/131454316/3832722.pdf
    • http://solidtimberworxptyltd.net/uploads/1/3/0/3/130379843/raveropobaw.pdf
    • http://waterstonecc.com/uploads/1/3/0/7/130776735/seteti_pegiz_dazozaloreri_zulilo.pdf
    • http://promocoderodney.com/uploads/1/3/1/4/131407901/c8f86bc1cf78753.pdf
    • http://onthisaugustday.com/uploads/1/3/0/4/130483205/959490a.pdf
    • http://lifeoflekker.com/uploads/1/3/0/6/130620579/2b890b.pdf
    • http://4gwireless.com/uploads/1/3/0/8/130814460/eb805a8b9d54b.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000415e.bin
9b333f8533bddb5386eb21d84817d01aede3a60a9cbf4699b32f992d71cb62fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x415E 5928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.