Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fa40631cbf6ea63…

MALICIOUS

PDF

53.3 KB Created: 2020-04-15 02:08:59 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 2b64e3fcf90396fc2bea57159c0ba7d0 SHA-1: 181367b80a3a774302d6dda98f0f73f343c7a1d6 SHA-256: 8fa40631cbf6ea6365f7f1dd54c3708430fa74681831076bd1f6cd9e123d723e
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numerically or generically named, suggesting a link farm or SEO abuse tactic. The document body, though heavily obfuscated, contains text related to 'verbal reasoning test answers' and references the wkhtmltopdf tool, indicating a potential lure. The primary external URI points to a page with similar naming conventions, reinforcing the social engineering aspect.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://minnesotahydrographics.com/uploads/1/3/1/0/131069935/131069935.html#ceb+shl+verbal+reasoning+test+answers
    • http://jadorehairboutique.com/uploads/1/3/0/7/130738705/nevaf.pdf
    • http://chantillybakery.net/uploads/1/3/0/2/130270982/newimumokirap-zazadokepilatu-rubofetofi.pdf
    • http://thenepeanrowers.com/uploads/1/3/0/4/130435638/zimaka.pdf
    • http://openeyesinsights.com/uploads/1/3/0/5/130542934/9529573.pdf
    • http://piccellstudio.com/uploads/1/3/0/4/130489006/b5025b8.pdf
    • http://kmaconsultantsllc.net/uploads/1/3/0/6/130639098/lifukodub.pdf
    • http://everythinggoddess.net/uploads/1/3/0/9/130969431/4835339.pdf
    • http://blogpawsandpamper.com/uploads/1/3/1/3/131384516/bipatowafu-tosadunupe-vekudo-bobewireni.pdf
    • http://xciteeducation.com/uploads/1/3/0/7/130740183/xorixekon_vexut_jebirinufup.pdf
    • http://gozoguide.com/uploads/1/3/0/7/130739297/718bda.pdf
    • http://auntfanniesphonesacks.com/uploads/1/3/1/4/131454505/paxetog.pdf
    • http://loosenuptea.com/uploads/1/3/0/3/130323301/9486d64.pdf
    • http://insuranceadvtg.com/uploads/1/3/1/4/131437402/4774afe906a7.pdf
    • http://jadorehairboutique.com/uploads/1/
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009008.bin
61016a9b8aa887824c19da97543ff2f676bc37ac743da967f2732a60119633c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9008 8892 bytes
font_01_sfnt_off0000b1f6.bin
0f23141ba94d37b49c53016ac63a9b008a6ac8e4c4656a8d80e6725f77750189		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1F6 16140 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.