Malicious PDF — malware analysis report

Static analysis result for SHA-256 9aed2a8d188e90b5…

MALICIOUS

PDF

44.8 KB Created: 2020-06-08 08:45:47 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 2f835035dd4e79107091c0f6c8d8f04b SHA-1: 74b4838d3e1b25b3b3ed0315d1921acb5dd734a9 SHA-256: 9aed2a8d188e90b56af5019f3cb971bf21189ead20af3c606eb7219245b94164
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or distribution network. The ML classifier also strongly flagged this PDF as malicious. No scripts were extracted, but the primary attack pattern involves directing users to external resources.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://getwomen2vote.com/uploads/1/3/0/6/130620224/130620224.html#%25D8%25B4%25D8%25B1%25D9%258A%25D9%2583+%25D9%2581%25D9%258A+%25D8%25AA%25D9%2583%25D9%2586%25D9%2588%25D9%2584%25D9%2588%25D8%25AC%25D9%258A%25D8%25A7+%25D9%2583%25D8%25A7%25D9%2585%25D8%25A8%25D8%25B1%25D9%258A%25D8%25AF%25D8%25AC
    • http://summerslittlebakery.com/uploads/1/3/1/6/131636627/fuvavagenuv_vanagomu.pdf
    • http://hostmaster.fonddulacchurch.com/uploads/1/3/0/4/130476243/9200791.pdf
    • http://healthcaresdpt.com/uploads/1/3/1/3/131383591/1443102.pdf
    • https://fakenigali.files.wordpress.com/2020/06/46899525893.pdf
    • https://jowezeda.files.wordpress.com/2020/06/geranefowariguxojawol.pdf
    • https://lejixubut.files.wordpress.com/2020/06/tekakadiripizudexolan.pdf
    • https://zimufugu.files.wordpress.com/2020/06/98679879220.pdf
    • https://tebobikesez.files.wordpress.com/2020/06/27708342417.pdf
    • https://miselimex.files.wordpress.com/2020/06/58270433632.pdf
    • https://dipowaza.files.wordpress.com/2020/06/49180331615.pdf
    • https://vitosomuzete.files.wordpress.com/2020/06/5443848498.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_002_off0000644a.bin
e25d74402d349672929d082dcbf22e6d920b1748adffe1853c5fce1185b5e185		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x644A 18328 bytes
font_01_sfnt_off000080e3.bin
56ffce3141c4180b7d6d7365bc29a8c8e6b7d6564d5955b5b3531967d1947b03		 pdf-font-stream PDF embedded font (sfnt) at offset 0x80E3 11300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.