Malicious PDF — malware analysis report

Static analysis result for SHA-256 9bf51d7f76a4df76…

MALICIOUS

PDF

38.2 KB Created: 2020-03-09 08:32:47 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: f4ab4f472d19af0e5183ef6903a0e907 SHA-1: 2768b9b0006158068f7e55ddf640482ca5641960 SHA-256: 9bf51d7f76a4df765d910f9b90d7e56c06297d9d0eaa5b119ce7a67a7a9f34a8
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to other PDF files hosted on various domains. This behavior is indicative of SEO spam or a link farm designed to distribute malicious content or drive traffic. The ML classifier strongly supports the malicious verdict. No scripts were extracted, limiting the ability to determine specific payload delivery mechanisms.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-73-96.mgwnet.com/uploads/1/3/0/7/130776100/130776100.html#existential+nihilism+vs+cosmic+nihilism
    • http://www.lavc24-7.com/uploads/1/3/0/2/130272557/guzuwojaxiw_julovusibibuniw.pdf
    • http://contentlyride.com/uploads/1/3/0/8/130814020/kogevagevider.pdf
    • http://lostinthewoodswoodworking.com/uploads/1/3/0/3/130379804/sezajasamu.pdf
    • http://morrowworldpost.com/uploads/1/3/0/4/130435715/3be13dad.pdf
    • http://locationperformance.com/uploads/1/3/0/4/130476624/gikenelese-fiteb-xedukizo.pdf
    • http://bearismycopilot.com/uploads/1/3/0/8/130873737/6727057.pdf
    • http://www.jennifermagana.com/uploads/1/3/0/3/130313346/bazipunonimebuluk.pdf
    • http://admin.rds-locksmiths.co.uk/uploads/1/3/0/5/130539427/4869319242aa88a.pdf
    • http://megadethslot.com/uploads/1/3/0/6/130605314/puvalapotu-tujiwos.pdf
    • http://mooibijbo.com/uploads/1/3/0/6/130621439/5220973.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006f4b.bin
b7487cfdc817aa759efd009b03061c63991d2c14fad9a4d2f711bad2a1461e9a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6F4B 7372 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.