Malicious PDF — malware analysis report

Static analysis result for SHA-256 819ba606b7cfccb5…

MALICIOUS

PDF

63.9 KB Created: 2020-03-13 05:38:47 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 20ad4dad1fc94a345db5fc54df699788 SHA-1: 70ce5ee85dd88c829b51a8bdc32f5bfca03034a2 SHA-256: 819ba606b7cfccb5cf8ce3c1017bdce772f9d79fba0b339b454cb69e3394240a
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous external links, a technique often used to redirect users to malicious websites. The ML classifier strongly indicated maliciousness. The document body, though heavily obfuscated, contains text related to 'Proximal renal tubular acidosis medscape' and the wkhtmltopdf application, suggesting a lure to a seemingly legitimate topic to mask malicious intent. The primary attack pattern involves leveraging these embedded links to deliver a payload or phish for credentials.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-77-9.mgwnet.com/uploads/1/3/1/0/131071167/131071167.html#proximal+renal+tubular+acidosis+medscape
    • http://www.pausereflectlearngrow.com/uploads/1/3/0/5/130539871/1408548.pdf
    • http://0-13-1-demo.octarinesec.com/uploads/1/3/0/3/130379147/linubizirezipeseno.pdf
    • http://autodiscover.loadmateforboaters.com/uploads/1/3/0/4/130489539/8177510.pdf
    • http://rainescampaign.com/uploads/1/3/0/4/130476555/gowutajawul.pdf
    • http://www.jasonwilke.com/uploads/1/3/0/5/130543772/penutadoki_xedojejowe_luzadasunofuga.pdf
    • http://cpsaltlakecity.com/uploads/1/3/0/6/130620755/ac9186b.pdf
    • http://nofilterbydreah.com/uploads/1/3/0/4/130483271/paregagojatixe.pdf
    • http://feltathon.com/uploads/1/3/0/6/130621480/kogexe_rulefekezolaf_razatufino.pdf
    • http://caratcoffee.com/uploads/1/3/0/5/130588822/wonexiwewuxik.pdf
    • http://progressivebuildingsystemsinc.com/uploads/1/3/0/2/130291592/63b3088fe32e1a.pdf
    • http://kitchitup.com/uploads/1/3/0/6/130639100/8296cc2c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c619.bin
6aed2dc947949da740ab2db3d5ed144083cc2a381a42e4444f380a803060d890		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC619 8480 bytes
font_01_sfnt_off0000e680.bin
cf2338b7895a3a873add1db7dfb411390262a2a3d24e5b3dccff59843624ea97		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE680 2704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.