Malicious PDF — malware analysis report

Static analysis result for SHA-256 78d35db6931068e9…

MALICIOUS

PDF

41.7 KB Created: 2020-06-04 04:14:07 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9079c8aa37653df012961d4ce598ec58 SHA-1: 29ddf5ed700944a792bc14a61d2929f481423fec SHA-256: 78d35db6931068e9893acd47631f87419ca05f87573b881a4baeb061b10aba37
136 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF document contains a large number of external links to other PDF files hosted across various domains, indicative of a link farm or SEO manipulation scheme. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous external URIs suggests an attempt to redirect users to potentially harmful content or to distribute further payloads. No scripts were extracted, but the sheer volume of outbound links is highly suspicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 5

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://melrosedesigns.studio/uploads/1/3/1/0/131071308/131071308.html#batman+dark+victory+review
    • http://toonstep.com/uploads/1/3/0/4/130476013/28a614.pdf
    • http://communitytransitions.us/uploads/1/3/0/4/130475980/mufaludokebugixoduf.pdf
    • http://fencecompanyfortworth.com/uploads/1/3/1/4/131454335/6420660.pdf
    • http://colimaconcrete.com/uploads/1/3/0/5/130551174/1954307.pdf
    • http://root.keylinevermont.com/uploads/1/3/0/9/130969340/40f845b65.pdf
    • http://bestbestcbd.com/uploads/1/3/0/2/130288447/143390.pdf
    • http://webdisk.vegantshirts.ca/uploads/1/3/0/2/130289597/zalewipar.pdf
    • http://tmgspeed.com/uploads/1/3/0/4/130483858/tapiliwomoxalifema.pdf
    • http://jimigoisland.com/uploads/1/3/0/6/130604973/9979849.pdf
    • http://theheroinesclub.com/uploads/1/3/0/6/130604685/zowototomut_tutom.pdf
    • http://cpcontacts.amilles.com/uploads/1/3/0/2/130270923/6299952.pdf
    • http://bucurlamarunt.com/uploads/1/3/0/4/130488503/6a5be6d.pdf
    • http://barenaturalsoaps.com/uploads/1/3/0/7/130775805/3b631d55267a.pdf
    • http://melrosedesigns.studio/uploads/1/3/1/0/131071308/terms.html
    • http://melrosedesigns.studio/uploads/1/3/1/0/131071308/dmca.html
    • http://melrosedesigns.studio/uploads/1/3/1/0/131071308/policy.html
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://xoxijukixife.files.wordpress.com/2020/06/jefoburujupunefisesot.pdf
    • https://bageredo.files.wordpress.com/2020/06/waxarupuke.pdf
    • https://gotexutag798502486.files.wordpress.com/2020/06/zebuvelusododuna.pdf
    • https://rifilaru.files.wordpress.com/2020/06/pojafi.pdf
    • https://bitepon.files.wordpress.com/2020/06/73386428822.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007704.bin
daa294cc73cd7232ae114c3cba6c67d51e7f91bf08e28d37cc85147e2f2e3860		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7704 10364 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.