Malicious PDF — malware analysis report

Static analysis result for SHA-256 9873e6baf1fa50ec…

MALICIOUS

PDF

46.5 KB Created: 2020-03-12 08:36:57 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 390015c12aab94dc077dd1b37a31b01e SHA-1: bb0afd1046d47aa8295ee7a1720beb3c20f4e023 SHA-256: 9873e6baf1fa50ecbb3e8335f9478539a1a6cf789ce322e482b101a26296de34
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

This PDF document contains a large number of external links, many of which are SEO-optimized and point to other PDF files hosted on various domains. The primary heuristic, PDF_SEO_LINK_FARM, indicates this is a link farm designed to artificially inflate search engine rankings or distribute malicious content. The ML classifier also strongly flagged this PDF as malicious. The document body itself is largely obfuscated but contains a reference to a treaty and the wkhtmltopdf generator, suggesting a lure to a fake informational page.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-73-2.mgwnet.com/uploads/1/3/0/3/130324075/130324075.html#tratado+de+libre+comercio+peru+canada+wikipedia
    • http://afterthefallinc.com/uploads/1/3/0/8/130874587/sezig.pdf
    • http://www.foodietruck.ca/uploads/1/3/0/5/130550835/c7ae25cd093343.pdf
    • http://emeralddevelopmentinc.com/uploads/1/3/0/5/130542875/7087982.pdf
    • http://office365online.live/uploads/1/3/0/5/130588783/zakiximinapobuwo.pdf
    • http://graphiteredmedia.com/uploads/1/3/0/7/130776823/9139249.pdf
    • http://txkicks.shop/uploads/1/3/0/6/130621646/xoxebosatomupov_tudinepaf.pdf
    • http://ccfammo.com/uploads/1/3/0/2/130271205/1991181.pdf
    • http://happybirthdaylizs15th.com/uploads/1/3/0/6/130639365/4ba89.pdf
    • http://www.nourishandthriveforlife.com/uploads/1/3/0/5/130588513/9201191.pdf
    • http://deas-guyz.com/uploads/1/3/0/2/130289748/3345258.pdf
    • http://mindfulheartprograms.com/uploads/1/3/0/7/130738501/ee3d6d.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006bb9.bin
49a87c76df4b401826056c9640b712846f69c58aadcd9f9d5723f8f0a6e8baf6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6BB9 8680 bytes
font_01_sfnt_off00008b70.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B70 2652 bytes
font_02_sfnt_off000094d7.bin
41a4bbacf41748deea7f627bca112dc7b8056b541408fe9ac8dd00f32ba6932b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x94D7 16128 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.