Malicious PDF — malware analysis report

Static analysis result for SHA-256 a66fc1d4c4f55d12…

MALICIOUS

PDF

104.0 KB Created: 2020-03-22 11:55:33 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 17070d145523c05aa65435aa81d9e944 SHA-1: c3905dbfbf069a553745546ffa668905e2550553 SHA-256: a66fc1d4c4f55d12409abab20aaab54059fbed918c53d090c9a9f7eb2764115c
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

This PDF document contains a large number of external links, a common tactic for SEO poisoning and phishing lures. The ML classifier strongly indicated maliciousness. The document body, though partially corrupted, contains text related to 'Obras mas destacadas de mahatma gandhi' and metadata indicating it was generated by wkhtmltopdf, suggesting a deceptive lure to obscure the malicious intent of the embedded links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9995

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://annusalminen.fi/uploads/1/3/0/6/130621784/130621784.html#obras+mas+destacadas+de+mahatma+gandhi
    • http://1prfilm.net/uploads/1/3/0/9/130969129/lazikotuxugixofes.pdf
    • http://djandthegreenleas.net/uploads/1/3/0/6/130621443/tomegivonutefakonuwe.pdf
    • http://ilandwyte.com/uploads/1/3/0/6/130603824/wugokeneno_fafiridezizosek_buditovisal_kekamuw.pdf
    • http://kariniasbc.online/uploads/1/3/0/6/130621258/9354096.pdf
    • http://natashachernookaya.com/uploads/1/3/0/3/130323449/zafipivinetom.pdf
    • http://oftconcept.com/uploads/1/3/0/7/130775949/5906316.pdf
    • http://statementzine.com/uploads/1/3/0/4/130435893/6915475.pdf
    • http://festconsult.com/uploads/1/3/0/2/130272363/6c23e7.pdf
    • http://carbonneutralnetwork.org/uploads/1/3/0/3/130323697/3ea95dd.pdf
    • http://rivercityelectrical.com/uploads/1/3/0/6/130604182/supumabadawepo-mosimadapili.pdf
    • http://www.reynoldsindustrialconstruction.com/uploads/1/3/0/8/130874389/89b86f2.pdf
    • http://www.chancellorsolution.com/uploads/1/3/0/5/130538941/6f130.pdf
    • http://bedonetmarmaille.com/uploads/1/3/0/8/130814078/d5d60fd45.pdf
    • http://aquapearl.studio/uploads/1/3/0/2/130271232/vugawa.pdf
    • http://wostmanecology.se/uploads/1/3/0/7/130775668/5101217.pdf
    • http://hausofbrews.org/uploads/1/3/0/6/130639155/tinojufojoku_tefadotawado_lanon.pdf
    • http://mrstinabullteacher.com/uploads/1/3/0/6/130604446/natedomoravipu-xomivus-ronunoponelude.pdf
    • http://clermontbusinessdirectory.com/uploads/1/3/0/2/130270799/654402.pdf
    • http://www.magnoliaconstructionco.com/uploads/1/3/0/8/130814457/483116.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 5

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011823.bin
81e70c2a9543254b5d0a509b9f976e6087e2188207549dd5de30ba3d553d55bd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11823 9956 bytes
font_01_sfnt_off000132ba.bin
35e0f51fa2ae4703951352453e50ee10e86011e7dff317bc1456b19db4c32c18		 pdf-font-stream PDF embedded font (sfnt) at offset 0x132BA 10952 bytes
font_02_sfnt_off00015841.bin
480437884ac0b6d9fcc812d03c56ed28f568666de2b30b44bd42ac9599fc2464		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15841 2680 bytes
font_03_sfnt_off000161cb.bin
82bb2c151344bf34bb4c6f9ee149b067b03ad0e5f3a2005d325901e9be9b9ec6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x161CB 16948 bytes
font_04_sfnt_off000179ef.bin
8ada5d36392f4a70428d1d1692e949256b4fea08fbbe7bf347c39e52ecea1b29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x179EF 7688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.