Malicious PDF — malware analysis report

Static analysis result for SHA-256 8d72f5620b160a25…

MALICIOUS

PDF

38.3 KB Created: 2020-06-16 19:47:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1e2dae13bfba439e98a9bb52cf05547e SHA-1: 30ed98cf07f76984d7b7441cb227a0fd6caee26c SHA-256: 8d72f5620b160a25c0f5e9d7172b4484eea6e5db76751e95d81be226f22643bd
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to other PDFs hosted on various domains, indicative of a link farm. The primary heuristic, PDF_SEO_LINK_FARM, strongly suggests this is an SEO abuse technique. The embedded content, while appearing to be a manual, is likely a lure to disguise the malicious nature of the link aggregation. No scripts were extracted, and the document body itself does not contain malicious instructions, but the sheer volume and nature of the external links point to a coordinated effort to manipulate search results or host malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://syndicate1000group.com/uploads/1/3/2/3/132302868/132302868.html#1989+force+125+hp+outboard+manual
    • http://raw-eventing.com/uploads/1/3/0/4/130488994/1307475.pdf
    • http://cpcalendars.collinsautoperf.madesimplydev.com/uploads/1/3/1/0/131070009/4990730.pdf
    • http://hostmaster.thewritertype.com/uploads/1/3/0/7/130739389/fccf6261d04d18.pdf
    • http://intelligentautoelectrics.biz/uploads/1/3/1/4/131407849/joxurenupikefad.pdf
    • http://colortraits.com/uploads/1/3/1/6/131636586/fbba3e2e286.pdf
    • http://amalficapitalfunds.com/uploads/1/3/0/5/130539019/lulonede.pdf
    • http://creativeconcreterentalandsupply.com/uploads/1/3/1/0/131070010/2856792.pdf
    • http://whitehouse-idt.com/uploads/1/3/0/6/130620712/7437640.pdf
    • http://mail.douglasenoblepainting.com/uploads/1/3/0/9/130969838/jasajimuzotobo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005456.bin
f0cc792e17d81bfb4f8348e4442263668d9a6e2eac2e2a3088684503e73df2f4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5456 5756 bytes
font_01_sfnt_off000067b6.bin
add6a63416f5cbdd243c627e49f11ecd709209eeea3773065ad0ff194cc968ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x67B6 10928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.