Malicious PDF — malware analysis report

Static analysis result for SHA-256 b040abd8024c2dd9…

MALICIOUS

PDF

72.4 KB Created: 2020-04-11 11:11:25 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 9a32894acdec7d861edb79fb36822655 SHA-1: 48f6df417208069f0a1afc7eeef3e48a4c5fa27d SHA-256: b040abd8024c2dd9dfe2aee83167009aa7eb950ba00ca9d88018bf66a54425d3
100 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file was flagged by multiple heuristics, including PDF_SEO_LINK_FARM and ML_NYX_PDF_MALICIOUS, indicating a high likelihood of malicious intent. The embedded JavaScript stream and the extensive list of external URLs suggest that this document is designed to lure users to potentially harmful websites. The primary attack pattern involves a link farm designed to obscure the true destination and potentially host further malicious content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9790

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://webdisk.collegedemsatiu.com/uploads/1/3/0/6/130604093/130604093.html#teachings+of+lord+caitanya+pdf
    • http://jfwebdesign.ca/uploads/1/3/1/3/131379396/reraravuzonoso.pdf
    • http://lbiwinefest.com/uploads/1/3/0/6/130604292/ec9e9759e.pdf
    • http://ckreiner.com/uploads/1/3/0/9/130969310/92544.pdf
    • http://style4cheap.com/uploads/1/3/0/5/130540642/8482704.pdf
    • http://crossstateinvestigations.net/uploads/1/3/0/6/130620412/5817451.pdf
    • http://commandcommunications.com/uploads/1/3/1/4/131406291/zevok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000c7c1.bin
9772b826befc1f9fa576c8259035365203c99625f8b4db22260745a42fb19a6d		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC7C1 10280 bytes
font_01_sfnt_off0000eb92.bin
f13313e7c20b242685d8e85a67c672161f53ba1a0ad3790b6e1db8c24975e2d9		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEB92 16940 bytes
font_02_sfnt_off00010396.bin
415525b9c7e8cde2319ade1b14aef4058e12f81a81ae411f3222c5ff369e4594		 pdf-font-stream PDF embedded font (sfnt) at offset 0x10396 6760 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.