Malicious PDF — malware analysis report

Static analysis result for SHA-256 8578d6ada9b78f0e…

MALICIOUS

PDF

37.9 KB Created: 2020-04-10 06:06:17 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c05c3e8bd7709b81411fa90568db71c5 SHA-1: 572639a7cdbd875d3daa1342e5d2cb5cd48881fb SHA-256: 8578d6ada9b78f0e0c928cf302f9b08cee1a7db1028f8153342c514dba6e038e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

This PDF document exhibits characteristics of a link farm or SEO spam, embedding a large number of external URLs. The document body contains a title suggesting a tutorial for Word, likely a lure to disguise the malicious intent of directing users to numerous unrelated websites. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a mass external link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://roadshowarchitects.com/uploads/1/3/0/5/130590321/130590321.html#poner+indice+en+word+2010
    • http://studiolegaleavezzano.com/uploads/1/3/0/6/130604192/3366547.pdf
    • http://beatdiggaz.com/uploads/1/3/0/8/130873958/fad8eec3c6a68ff.pdf
    • http://lapsitulkki.com/uploads/1/3/0/5/130539295/falufagulefosiw-rosev-seruledekemogak-mokawuvowep.pdf
    • http://carbidecapitalpartners.com/uploads/1/3/0/4/130479044/6149821.pdf
    • http://lashupwithneka.org/uploads/1/3/0/6/130604006/xobipusefedesaj.pdf
    • http://theafricanbeercompany.com/uploads/1/3/0/4/130483499/jedudegugetoxibugo.pdf
    • http://learnvibe.com/uploads/1/3/1/4/131408086/pozanonusi.pdf
    • http://codyscarpetcare.net/uploads/1/3/1/3/131379591/zulimipaz_tuwazolo_sowefonagugis_dakufivagi.pdf
    • http://designateddeliveries.com/uploads/1/3/1/4/131437508/bomokidofur-nigodogorawur-wutuz-nibazimoga.pdf
    • http://thehighlysensitivechristian.com/uploads/1/3/0/8/130814441/xepalugeruno.pdf
    • http://mybrewbuddy.com/uploads/1/3/1/0/131070829/lufavoxij_pugedadaz_fitini.pdf
    • http://yellowstonebuilder.com/uploads/1/3/0/7/130776099/a347b.pdf
    • http://styledbydanidavis.net/uploads/1/3/1/1/131164555/jofefuba_weduno.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006a59.bin
c3898c02dff56d7aa351091520d61166d379d99100e6f781283d62d5bd3a14aa		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6A59 8436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.