Malicious PDF — malware analysis report

Static analysis result for SHA-256 b20503eef4f3d017…

MALICIOUS

PDF

82.6 KB Created: 2021-03-15 08:20:00 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7bb948120583d9cea290fd3e06101ee2 SHA-1: 7c0e1fccb2e3a2762de0ec637be11f3d15071d33 SHA-256: b20503eef4f3d0172d842840394778bcd7744c28907e3626b2e01b35e820c399
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which are part of a link farm designed to manipulate search engine results. The document body, though heavily obfuscated, suggests a lure related to educational materials. The presence of embedded URLs and the PDF_SEO_LINK_FARM heuristic indicate a strong likelihood of malicious intent, possibly to drive traffic to malicious sites or distribute further malware. No scripts were extracted, but the overall structure points to a malicious PDF designed for SEO spam or phishing.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9954

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://seumenha.ru/wix?keyword=combinations+worksheet+4th+grade
    • https://vojisijekedix.weebly.com/uploads/1/3/5/3/135311469/jewolaguwa.pdf
    • http://karaulovlife.site/5548444747796y3g.pdf
    • http://nekretnine.site/40556240456zr20r.pdf
    • https://sefuzogesosemo.weebly.com/uploads/1/3/4/5/134579576/d8b3d8846c956.pdf
    • https://cdn.sqhk.co/rigepasemapa/gimaibg/35106485638.pdf
    • https://zapunetiregete.weebly.com/uploads/1/3/5/9/135956705/70e6c157fc.pdf
    • https://cdn.sqhk.co/bubiwalifeda/ioIhcH2/53132454237.pdf
    • https://pazunorafozide.weebly.com/uploads/1/3/0/7/130776571/237399.pdf
    • http://construt.site/jaspersoft_report_java_examplerbwqn.pdf
    • https://meruxanige.weebly.com/uploads/1/3/1/6/131636855/05bb44436cc0ac3.pdf
    • https://cdn.sqhk.co/foroboreb/gDoVFih/vejuxasabovipotozixifelov.pdf
    • https://cdn.sqhk.co/terisuzuji/gRhahcW/best_filter_app_for_selfies_like_snapchat.pdf
    • https://cdn.sqhk.co/rorajakura/pgghjZ6/top_scorer_epl_2020_update.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://uploads.strikinglycdn.com/files/48cf58bf-0cdc-4160-aeb7-02c6fa944c50/fender_mustang_floor_pedal_power_supply.pdf
    • https://uploads.strikinglycdn.com/files/c328dc5d-bbbf-4944-9cf2-3f6a2160e039/88245280503.pdf
    • https://bf130ee1-1463-4c69-9604-1b23772ced92.filesusr.com/ugd/b4609a_86b195575926444f8bb4c1cbd0e82edc.pdf?index=true
    • https://uploads.strikinglycdn.com/files/48e443ab-6c1f-4239-95c5-9728a217c85d/vabebitetefovikivalebogiw.pdf
    • https://4e33067b-0f13-4bed-bb9c-ea95f768fd7c.filesusr.com/ugd/23924c_795d91023a0b45e7a59f6ed174484c40.pdf?index=true
    • https://s3.amazonaws.com/wazorixekunafob/21755901730.pdf
    • https://s3.amazonaws.com/nefomojuwet/nofimeselas.pdf
    • https://f414df59-d0c5-412c-8277-160bd92acc6e.filesusr.com/ugd/055bb3_8afc84d18368445a920e207e1c401958.pdf?index=true
    • https://2ad55d82-15d9-4995-b72c-f03dca93b5f4.filesusr.com/ugd/11b7eb_054649aeb23a4aeab616618bf132e137.pdf?index=true
    • https://uploads.strikinglycdn.com/files/ddb7011e-bd61-41c1-b44b-87a35bd66ff7/high_pointe_microwave_fuse_replacement.pdf
    • https://s3.amazonaws.com/dumupa/pure_black_twitter_android.pdf
    • https://uploads.strikinglycdn.com/files/943d171c-da97-4264-962e-6dc7d33a79c6/81722050634.pdf
    • https://dbb1fad9-9c05-458f-9e32-bc0b7f65d7ec.filesusr.com/ugd/451461_76f1f63b603d48dd825e139869666d7c.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000ef37.bin
b558122bc25e70f034fe942ec107d279d9ebb235d79090fb26d163f4136114e7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xEF37 5496 bytes
font_01_sfnt_off000101ca.bin
743dc6af42f835369d00fc0b523a02ee0ad504bb92de6e66fd376e9bf73a0b9e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x101CA 10464 bytes
font_02_sfnt_off000125d0.bin
c9557d91917e40dbb2ce09b7ef560a04a9a832ffe2ebcac6b50408a58351272e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x125D0 16092 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.