Malicious PDF — malware analysis report

Static analysis result for SHA-256 92bd65ad2e04cca7…

MALICIOUS

PDF

39.1 KB Created: 2020-04-18 06:43:38 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 2c73138c41f935d792f7e6bebf53e91b SHA-1: 9e049da176e39218523184009cae5999ac18471b SHA-256: 92bd65ad2e04cca7265f95fa9ce6ce4e2eb70c00fe1a6a85d53469e0850674ba
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of embedded external links, many of which point to other PDF files on various domains. This behavior is indicative of a link farm or a mechanism to distribute malicious content through a network of compromised websites. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent. The document body itself contains a title related to 'Dbz goku vs android 13' which is likely a lure to encourage users to click on the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lancasterec.com/uploads/1/3/0/3/130379142/130379142.html#dbz+goku+vs+android+13
    • http://houstonclergy.org/uploads/1/3/1/4/131437649/pafinizipokenegan.pdf
    • http://salleebonhamwrites.com/uploads/1/3/0/7/130739457/fiwat-mukodi-jodog-wapixivajon.pdf
    • http://ayaloveproject.org/uploads/1/3/0/2/130274017/968b51e1fd2d144.pdf
    • http://shanandlousayido.com/uploads/1/3/1/0/131069824/106960.pdf
    • http://patriciahopkinsbarnesfineart.com/uploads/1/3/0/5/130550794/visifa-dirib-gaxefanazites-palubizadobal.pdf
    • http://rxbbullies.com/uploads/1/3/0/6/130639922/821858.pdf
    • http://thesuitestaitung.com/uploads/1/3/1/4/131437941/tegajopox.pdf
    • http://mibbler.com/uploads/1/3/0/7/130776401/tujixatowa.pdf
    • http://hecmaconference.org/uploads/1/3/0/6/130603968/fibupefakeb.pdf
    • http://christchurchcathedralmobile.com/uploads/1/3/1/4/131453048/ae6ce021aa1.pdf
    • http://kaleshwar-groups.net/uploads/1/3/0/7/130774962/7989452.pdf
    • http://windsweptpoodles.net/uploads/1/3/1/3/131379017/079c835339.pdf
    • http://thehvbs.com/uploads/1/3/0/3/130312980/5042435.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000071ca.bin
62dee26745e9dd77adf059f726ad6410c6683bbdaf907d5968eb551ba024149b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x71CA 7848 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.