Malicious PDF — malware analysis report

Static analysis result for SHA-256 8bb07ea1f54784c8…

MALICIOUS

PDF

38.3 KB Created: 2020-04-24 17:41:03 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: e915133a0308fa996ba6203037e9f23f SHA-1: e42fde3e2704600c4aa1f025ff1c6740602154cd SHA-256: 8bb07ea1f54784c8b69370ed5a05b275fb9585e01bab264a00fe50ad3961c237
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which point to other PDF files on various domains, indicating a link farm or redirection scheme. The document body, though heavily obfuscated, contains the string 'Sympathy card message template' and references to the wkhtmltopdf tool, suggesting a lure to disguise the malicious intent. The ML classifier strongly flagged this PDF as malicious, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a mass external link farm, likely intended to distribute malware or lead to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://audiobookcon.com/uploads/1/3/1/6/131606059/131606059.html#sympathy+card+message+template
    • http://coasttocountry.net/uploads/1/3/0/5/130546000/gunujebutiwod.pdf
    • http://gassafebrighton.com/uploads/1/3/0/3/130312951/9eac9d38de.pdf
    • http://willowlakesestates.com/uploads/1/3/1/6/131637176/7858307.pdf
    • http://sanspointe.com/uploads/1/3/0/6/130604025/d5d54df52cde32a.pdf
    • http://nicolecthomaswrites.com/uploads/1/3/0/6/130620705/murokituk.pdf
    • http://bongfeminist.com/uploads/1/3/0/2/130272266/vakefuwopuki_vokikosufapif_nirufuj_defoxupujugitit.pdf
    • http://huskypuppies.ca/uploads/1/3/1/6/131606374/rowetolejibubo-nejofiraniku.pdf
    • http://saperefacere.com/uploads/1/3/0/6/130620605/1314680.pdf
    • http://thepattonlaw.com/uploads/1/3/0/4/130476342/a49866.pdf
    • http://tom-robertson-media.com/uploads/1/3/0/8/130874451/nezinivoduv.pdf
    • http://adoxian.com/uploads/1/3/0/7/130775310/6067240.pdf
    • http://jpmcassociates.com/uploads/1/3/0/8/130813965/6742568.pdf
    • http://ernestjgrossood.com/uploads/1/3/0/5/130551049/levojibemol_lusowod.pdf
    • http://furadelphiafriendsfoundation.org/uploads/1/3/0/3/130323103/3166800.pdf
    • http://michaeldylanferrara.com/uploads/1/3/0/6/130622066/vokiramukojulal-zajesovon-xanin.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cbd.bin
b571ca8b2469a5eb316592c3a8a2fa7d2d74862006851809a4c54641238c793b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6CBD 7916 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.