Malicious PDF — malware analysis report

Static analysis result for SHA-256 a0aba3cf2786f96c…

MALICIOUS

PDF

47.8 KB Created: 2020-04-03 14:27:10 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0fb5deaac89646ecb1437efabf10457a SHA-1: 7273ad029ee15d8f87a288c8d937d7ba094ac73e SHA-256: a0aba3cf2786f96c1f29acebc2c60db89dca759b586dcd9a6a3d4af9ed4e150c
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links pointing to a network of websites, indicating a link farm or SEO spam operation. The ML classifier strongly flagged this PDF as malicious. The embedded URLs are the primary indicators of malicious activity, suggesting the document's purpose is to drive traffic to these external sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lushleaflandscapesb.com/uploads/1/3/0/5/130589411/130589411.html#regiones+o+bloques+econ%C3%B3micos+de+%C3%A1frica
    • http://passiondetail.net/uploads/1/3/0/6/130604531/silaganelirokefoza.pdf
    • http://thinkbe4youshoot.com/uploads/1/3/1/4/131453459/3305092.pdf
    • http://trophyhomesinc.info/uploads/1/3/0/9/130969437/ridajema-bowiwaribu-lupusala-sawupawukuli.pdf
    • http://arbeiaasbestos.com/uploads/1/3/0/2/130289386/bowezisume.pdf
    • http://kslscf.org/uploads/1/3/0/5/130543154/ligerekiriz.pdf
    • http://641332370335622942.com/uploads/1/3/1/0/131070523/dudoger.pdf
    • http://oliviophehandmadelvboutique.com/uploads/1/3/0/8/130873961/3105292.pdf
    • http://pagosaspringswindowcleaning.site/uploads/1/3/1/0/131070849/wugunebilutarekit.pdf
    • http://cancilleriammas.org/uploads/1/3/0/4/130435582/2518811.pdf
    • http://thesparlingsoull.com/uploads/1/3/0/5/130590702/rimurubufesilofis.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000683e.bin
c71236f34674adfc4771016b6270081fa7edf62311dfb2490a4fc0bc8eedf1f5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x683E 9216 bytes
font_01_sfnt_off00008941.bin
8003671b2f6b067297fb99e712be9b9b59e1b0c0fe8c5fd334072ea152ece142		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8941 2632 bytes
font_02_sfnt_off00009290.bin
890f9ffd1e2827debf557e154b0f204dc3b5115687aac54f3e6324be0ac8bcec		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9290 18232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.