Malicious PDF — malware analysis report

Static analysis result for SHA-256 922ab645dcfe671f…

MALICIOUS

PDF

37.8 KB Created: 2020-03-11 06:16:14 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6) First seen: 2021-05-23
MD5: fd458736aa5aba7ee59ed03d2b66b4bf SHA-1: e84e704ef3f9022795d529fea97e2815b62857f7 SHA-256: 922ab645dcfe671f66345d4b38a07022a79ecdd290f578cad317d44a46f8409d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier also strongly indicated maliciousness. The document body, though partially corrupted, contains a reference to 'Abortion essay title ideas' and numerous URLs pointing to PDF files on various domains, suggesting a link farm or content distribution scheme. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rochecenter.org/uploads/1/3/0/2/130291441/130291441.html#abortion+essay+title+ideas PDF link annotation
    • http://chicovegans.com/uploads/1/3/0/6/130639854/1d92f4.pdfIn PDF document text
    • http://www.acorn-cookies.com/uploads/1/3/0/7/130776644/mulisumotagozaleto.pdfIn PDF document text
    • http://www.finegritstudio.com/uploads/1/3/0/5/130539205/1194564.pdfIn PDF document text
    • http://geraldkersh.com/uploads/1/3/0/6/130639984/mofovogiwi.pdfIn PDF document text
    • http://www.dulcieandbanana.com.au/uploads/1/3/0/6/130620798/fefikuke.pdfIn PDF document text
    • http://mikaelchalyce.com/uploads/1/3/0/5/130551526/214961fb45f1e3.pdfIn PDF document text
    • http://battleofthebighorn.org/uploads/1/3/0/7/130739105/koputusatovo_mupikerilez.pdfIn PDF document text
    • http://youdirtydawgpdx.com/uploads/1/3/0/3/130379231/6242874.pdfIn PDF document text
    • http://springfieldmolimo.com/uploads/1/3/0/3/130323596/2792753.pdfIn PDF document text
    • http://adventsky.net/uploads/1/3/0/6/130620356/2186520.pdfIn PDF document text
    • http://finalproyectmotcon.com/uploads/1/3/0/2/130288757/1232961.pdfIn PDF document text
    • http://anastasiosofsinai.net/uploads/1/3/0/5/130541624/3946136.pdfIn PDF document text
    • http://www.sheipe3d.com/uploads/1/3/0/6/130604744/9741759.pdfIn PDF document text
    • http://www.artsstudentsassociation.org/uploads/1/3/0/2/130287842/mofedomase-jewijefekuje-wuvupedis.pdfIn PDF document text
    • http://launchharbor.org/uploads/1/3/0/9/130969984/nupafule.pdfIn PDF document text
    • http://davidbaskind.com/uploads/1/3/0/5/130588342/baloguroja_fefadobesakaj_lojalume.pdfIn PDF document text
    • http://mx.lewisrawlinson.com/uploads/1/3/0/3/130323180/nukogebogam.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006cd6.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x6CD6 7492 bytes
SHA-256: f53dbe3474c759c798b70ae7fc88917c26924c39c8133d2c4cac6d747bc7917a