Malicious PDF — malware analysis report

Static analysis result for SHA-256 86adf542800dae4a…

MALICIOUS

PDF

39.3 KB Created: 2020-04-03 15:42:05 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: bd8667b6eff145a30e1922a11418df04 SHA-1: 1f978be4ee6ec0a4efdd09c179cddda3c01e1a56 SHA-256: 86adf542800dae4ab49cd9c941e4d6f02e82c77ed22615f7de6e8b8afc35abc9
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which point to other PDF files hosted on suspicious domains, indicating a link farm or redirection mechanism. The document body, though partially obfuscated, contains URLs that likely lead to malicious content or further stages of an attack. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://garysstorage.com/uploads/1/3/1/4/131453100/131453100.html#formulas+de+area+e+volume+de+solidos+geometricos
    • http://freedomjazzfestival.org/uploads/1/3/0/7/130739150/1254459.pdf
    • http://gardenpartyclub.com/uploads/1/3/0/7/130775274/begepexoli-vugixudozerikor.pdf
    • http://maccione.net/uploads/1/3/0/2/130270745/majosedol-lomodate-tumojegola-wawesafa.pdf
    • http://missdayteaches.com/uploads/1/3/0/6/130639535/9079060.pdf
    • http://hardkopycosmetics.com/uploads/1/3/0/6/130621926/7032799.pdf
    • http://greenislifeaz.com/uploads/1/3/0/2/130289431/gizipodes_ruxekuf.pdf
    • http://repiping.net/uploads/1/3/0/2/130273812/6041298.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006311.bin
40d3c4aa20cf4463b157630ae5539004d81d91a34c954e4d49ce86826957f0a2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6311 10000 bytes
font_01_sfnt_off0000844f.bin
985cbd9ba5b629f1b749d04d852c0eecb5d8ad374186a1044a60da9476420dc6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x844F 2788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.