Malicious PDF — malware analysis report

Static analysis result for SHA-256 83dc423132e71570…

MALICIOUS

PDF

42.9 KB Created: 2020-03-24 12:14:57 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6a886c8fab6039aaddfff7a41b67da0f SHA-1: 852d407ade6c5b90f2fec7e7b332a5893eac4f4d SHA-256: 83dc423132e7157012ad29b11614398b94a314d7fcbc0c420ce3918085e77b85
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The primary URL, http://wilmingtonladiesteawalk.org/uploads/1/3/0/9/130969445/130969445.html#aerial+scissor+lift+training, suggests a lure related to training. The ML classifier also flagged this PDF as malicious. The presence of numerous links indicates a potential SEO spam campaign or a distribution point for further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://wilmingtonladiesteawalk.org/uploads/1/3/0/9/130969445/130969445.html#aerial+scissor+lift+training
    • http://chaletgirl.net/uploads/1/3/0/3/130323291/2211719.pdf
    • http://www.koenen-wein.de/uploads/1/3/0/5/130588484/lebinewifukevu.pdf
    • http://www.mountainviewmealprep.com/uploads/1/3/0/2/130287835/jinezovi.pdf
    • http://www.jonasfarmholidaybarns.co.uk/uploads/1/3/0/6/130621404/3d76332e6.pdf
    • http://hostmaster.satorigames.co.uk/uploads/1/3/0/9/130968981/wewofukoxomovo_zawogotexeduk_mokobonepuwesob_favatate.pdf
    • http://www.hitstarrecords.net/uploads/1/3/0/4/130476407/mesusutewubijizatatu.pdf
    • http://www.karvadigital.com/uploads/1/3/0/6/130639786/doxuj_damegut_liravojulog_sogigesisexif.pdf
    • http://thestuffoflegends.net/uploads/1/3/0/4/130476818/sofofunepiw.pdf
    • http://iansmeeth.com/uploads/1/3/0/6/130621708/94370.pdf
    • http://misskaty.org/uploads/1/3/0/7/130739564/7527716.pdf
    • http://ab4xy.com/uploads/1/3/0/4/130483682/tatalamati-kisufekigo-daborogit-gatow.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ad7.bin
96df634a187d2c63cfa5c1b45205ba363b643f160b15818e9024b5c6c83d2c84		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AD7 7936 bytes
font_01_sfnt_off0000896f.bin
1104c88d649693a2c120d1598511aa3922a7df9b7b3df98dbf00854e2b79198b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x896F 16144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.