Malicious PDF — malware analysis report

Static analysis result for SHA-256 92bf9f684d89a311…

MALICIOUS

PDF

33.8 KB Created: 2020-03-31 00:17:08 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: fc1f3e9bb9eafdca8addfe909231a1dd SHA-1: c5558722e04e05aaf41ce54d9a535b70eb65513f SHA-256: 92bf9f684d89a3111e79efe4af09f6151b39b2fe76286d93722c94950e0187cd
94 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF contains a large number of external links, many with numeric slugs, indicative of a link farm or SEO spam. The ML classifier strongly flagged this PDF as malicious. While no scripts were extracted, the sheer volume of external links suggests a potential for hosting malicious content or redirecting users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mythunderteam.com/uploads/1/3/1/4/131408666/131408666.html#unit+of+electrical+capacitance+crossword+clue
    • http://cruisinginthecaribbean.com/uploads/1/3/0/3/130379060/sopusexabenuvulike.pdf
    • http://doubleedgedswordministry.com/uploads/1/3/0/7/130739602/67fef8c0f5729.pdf
    • http://mobileautorepairbend.com/uploads/1/3/0/6/130604315/afd6bc8c2.pdf
    • http://studio-feyre.com/uploads/1/3/0/7/130775364/df870447e4272.pdf
    • http://hautecolour.studio/uploads/1/3/1/3/131384250/goposuraji-tafaxilogodilu.pdf
    • http://huntersadventuresbooks.com/uploads/1/3/0/7/130775275/zetexalilu.pdf
    • http://mieterbeirat.eu/uploads/1/3/0/7/130776006/0a4de7ac0e.pdf
    • http://rpmaa.org/uploads/1/3/0/4/130435520/450d9f7075e166.pdf
    • http://thelittleschoolproject.com/uploads/1/3/0/8/130874073/1588824.pdf
    • http://hiddengemsatlanta.com/uploads/1/3/1/1/131164249/49c6901742f610.pdf
    • http://ashbrookegrovetown.com/uploads/1/3/1/0/131071196/4892034.pdf
    • http://doloresgrillocoach.com/uploads/1/3/0/2/130272577/guxugedapa.pdf
    • http://mensbetterhealth.com/uploads/1/3/0/4/130489023/de3fedff5a3abba.pdf
    • http://www.cairnsmensbreaky.com/uploads/1/3/0/3/130323517/maralafaveb.pdf
    • http://theblueox916.com/uploads/1/3/0/2/130289719/a67cc20d3a15.pdf
    • http://theexperience.studio/uploads/1/3/0/6/130621094/gowukas.pdf
    • http://msdanahamilton.com/uploads/1/3/0/2/130287454/6561940.pdf
    • http://autodiscover.douglasenoblepainting.com/uploads/1/3/0/6/130620745/f58fff67c49.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005d80.bin
bbef29d1aacd5eabe05bded4c1fc4151dfb206fc06e5ee1d68f488a2b9cff2c5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5D80 7184 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.