Malicious PDF — malware analysis report

Static analysis result for SHA-256 9b0d44afe4708345…

MALICIOUS

PDF

37.8 KB Created: 2020-05-29 12:00:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e24a2f44bb59889ae1cbadbafd88326f SHA-1: af59a3cf06791db477d79a52428fc2de11937104 SHA-256: 9b0d44afe4708345e61970f8c015065e2c6860465da45e8302bb14f328661339
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains numerous external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The document body, though heavily obfuscated, contains text that appears to be a lure ('A student's guide to waves fleisch pdf') and references the wkhtmltopdf tool, suggesting it was generated programmatically. The ML classifier strongly flagged this PDF as malicious. The primary intent appears to be directing users to potentially malicious external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9930

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://3tj.undesirable.us/uploads/1/3/0/4/130476129/130476129.html#a+student%2527s+guide+to+waves+fleisch+pdf
    • http://dbstransportationservices.com/uploads/1/3/0/6/130639983/60632ca9.pdf
    • http://christineszinner.com/uploads/1/3/0/7/130738501/e4d7ed77c3cd398.pdf
    • http://dsalanguageservices.com/uploads/1/3/1/6/131636746/saxoj_muzozufakewo_noruxere.pdf
    • http://votefortenberry.com/uploads/1/3/0/4/130476307/foxur-lozajepedoxa-mivarabemeres.pdf
    • http://onefourau.com/uploads/1/3/0/8/130813849/kulena-razajoruwug-jujikavaxisotil-tuzoxibexe.pdf
    • http://tlsportstraining.com/uploads/1/3/0/2/130271083/1796497.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000520a.bin
2db5ed4f882d4646e55223c6c04d0dc6e757298735d113f6a098135bbbfce38e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x520A 10260 bytes
font_01_sfnt_off00007553.bin
17944bd0c80a49bdca266dd0e234306c0a2598ae12d8eb36b57a750b4669eb88		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7553 16472 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.