Malicious PDF — malware analysis report

Static analysis result for SHA-256 8fdedf905697e337…

MALICIOUS

PDF

36.7 KB Created: 2020-04-10 03:42:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 067d70fe929f2f3b00a820f0a5b7944f SHA-1: 3428df3d7f6293f46baf7638cd4e4b074dfe78fa SHA-256: 8fdedf905697e337a84ec3508b3d7edb38c27f1e8a642e347312ce87c850d0b4
92 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links pointing to various domains, many of which follow a similar numeric slug pattern. This suggests a link farm or SEO abuse tactic. The primary URL http://pendulummagick.com/uploads/1/3/0/4/130489039/130489039.html#horning%27s+roadside+market+bethel+pa appears to be the entry point into this network of potentially malicious PDFs. No scripts were extracted, and the document body is heavily obfuscated, limiting further analysis of the direct payload.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pendulummagick.com/uploads/1/3/0/4/130489039/130489039.html#horning%27s+roadside+market+bethel+pa
    • http://thethonyguyfoundation.com/uploads/1/3/0/2/130287504/muwejeke.pdf
    • http://breakthemup.net/uploads/1/3/0/7/130775596/punavasitali.pdf
    • http://thebeautybooth.ca/uploads/1/3/0/6/130639145/0aa70b16.pdf
    • http://ford-f150-raptor.com/uploads/1/3/0/6/130639753/f124fd0.pdf
    • http://rivercrestmeetings.site/uploads/1/3/0/2/130270923/1f076de.pdf
    • http://mindyourheadconsulting.com/uploads/1/3/0/6/130621527/f7995.pdf
    • http://gregoryfanning.com/uploads/1/3/0/6/130620848/kejop.pdf
    • http://madbusdriverx.com/uploads/1/3/0/6/130604310/murejeseku.pdf
    • http://sainthyro.org/uploads/1/3/0/7/130775134/sanurewonefowovod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005a71.bin
ab3e8e11ae3a51f7e4079451a26e9bb5a37a6b010a0297db1597b0b62fa3d62f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5A71 7988 bytes
font_01_sfnt_off000078f1.bin
885781ec91db75dc8c4a6a3d3dac0324bdfdb8f2239dab70466c62035ae072da		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78F1 4144 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.