Malicious PDF — malware analysis report

Static analysis result for SHA-256 ab47fe057d0fc25f…

MALICIOUS

PDF

45.1 KB Created: 2020-04-04 10:22:01 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 2329f6c5c77440a8b296f5cd5fdcf54a SHA-1: 58062efeddfc74cc727801a59eb3a9fe2d1556b8 SHA-256: ab47fe057d0fc25f21f976c7ae994bd9a4c2cbaf23f55fffc7c6429525ccbc8d
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links to other PDF files hosted on various domains. This pattern is indicative of SEO poisoning or a link farm used to distribute malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent. No scripts were extracted, and the document body is heavily obfuscated, but the sheer volume of external links is the primary indicator of malicious activity.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://calaverascaravan.net/uploads/1/3/0/6/130639506/130639506.html#princesa+de+un+cuento+de+hadas+vallenato
    • http://12ministries.org/uploads/1/3/0/4/130436343/75a9e2.pdf
    • http://lensleydesign.com/uploads/1/3/0/5/130550772/wirefu-pelufum.pdf
    • http://mntpaperplastics.com/uploads/1/3/0/6/130604682/6032255.pdf
    • http://arlocksafe.com/uploads/1/3/0/6/130603928/8393867.pdf
    • http://lazylstudio.com/uploads/1/3/0/7/130739156/joruwakapam-sajotamubufem-vikol.pdf
    • http://solit.studio/uploads/1/3/0/4/130489933/1433176.pdf
    • http://secondhandvehicles.ca/uploads/1/3/1/3/131380436/nenowonilukib.pdf
    • http://silverbackbenefitsadministrators.com/uploads/1/3/0/2/130288386/7c9ec01.pdf
    • http://goldandgritnyc.com/uploads/1/3/0/6/130620759/5930b4a0560.pdf
    • http://9f60ced015.com/uploads/1/3/0/2/130272638/depaw-varafadidemetak-lugaveju-texig.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000065b5.bin
676de577bef9c4f4fc43a3525cccff26081563821536a3c1548408a573c6fa05		 pdf-font-stream PDF embedded font (sfnt) at offset 0x65B5 9204 bytes
font_01_sfnt_off0000868a.bin
50224c6c483bfa86a10f62efd7baa2c756f8036c0a911ebd537387e21b2fb6f3		 pdf-font-stream PDF embedded font (sfnt) at offset 0x868A 2732 bytes
font_02_sfnt_off00009025.bin
2651e02e48e90e09297cd2155f91134ceaa551f12b9a12bafa399d36895e2515		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9025 16068 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.