Malicious PDF — malware analysis report

Static analysis result for SHA-256 77cba995552fd9d3…

MALICIOUS

PDF

31.2 KB Created: 2020-04-11 07:23:38 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 5d65f11426197a8d2250a1948cc89d12 SHA-1: 37197c0b478a3a97b7966e0d00d63c3a610e4c5d SHA-256: 77cba995552fd9d3e18f1e198964a9b2739dfed2168176e39ea05eecfae8cc73
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous embedded links to external websites, many of which appear to be part of a link farm designed to distribute malicious content or engage in SEO spam. The document body, though heavily obfuscated, contains a URL that likely leads to a second-stage payload or phishing page. The ML classifier strongly indicated maliciousness, supporting the presence of these suspicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oakclass.com/uploads/1/3/0/3/130313102/130313102.html#xbox+one+controller+pc+verbindet+nicht
    • http://settingtrndsbarbershop.com/uploads/1/3/0/6/130603986/165813352b.pdf
    • http://toribellatravels.com/uploads/1/3/0/7/130739087/zarenisemadagujap.pdf
    • http://dakotaneurology.com/uploads/1/3/1/3/131382239/wajevikanusozamixim.pdf
    • http://www.ancillalearning.com/uploads/1/3/0/2/130288444/woxenobaxaza.pdf
    • http://verybigcookies.org/uploads/1/3/1/4/131406274/xajetetelikum.pdf
    • http://chequeredflagauto.com/uploads/1/3/0/4/130483207/wetitogebex-bukexozu-kipisuxe-pudur.pdf
    • http://vinasupermarket.com/uploads/1/3/0/6/130604823/pemozodew-subuki-xajirosef.pdf
    • http://swietkowskilaw.com/uploads/1/3/0/8/130874332/regabojemop.pdf
    • http://funsuckers.net/uploads/1/3/1/0/131071277/wemesifugalanuza.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000505f.bin
1d7d9b4bf556b5bb7b9a35b0a920630ca9f22a945e63274aa5eb71379fe4d560		 pdf-font-stream PDF embedded font (sfnt) at offset 0x505F 8408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.