Malicious PDF — malware analysis report

Static analysis result for SHA-256 b3c26116bc362fb7…

MALICIOUS

PDF

38.0 KB Created: 2020-04-13 08:28:42 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: cd1e6f34a71a5ce6616b744f52e27070 SHA-1: 9698d8cde3d984505a72fa30066a69e9d619bfaa SHA-256: b3c26116bc362fb752baa42e8749bf7ed799f2fbc490f0a2b4f259e5ee5a32ab
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to other PDF files hosted on similar domains. This behavior is indicative of a link farm or SEO manipulation tactic, likely intended to drive traffic to malicious or compromised websites. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent. The document body itself is heavily obfuscated and contains metadata suggesting it was generated by wkhtmltopdf, a tool often used to create PDFs from web content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ttthardstyle.com/uploads/1/3/1/1/131164569/131164569.html#allan+kardec+books
    • http://christianfamilyblog.com/uploads/1/3/0/5/130588343/tolenomidelijop.pdf
    • http://rosebudvault.net/uploads/1/3/0/8/130813144/marifujen.pdf
    • http://icounselhope.com/uploads/1/3/0/6/130603884/97e660abe.pdf
    • http://leelanaustonecottage.com/uploads/1/3/0/9/130969283/pekojerunoligurifo.pdf
    • http://deserthighlandswcs.com/uploads/1/3/0/5/130551576/1601411.pdf
    • http://envirocoop.net/uploads/1/3/1/3/131398171/xebimexepuboso-nunifogexak-jojoxuf.pdf
    • http://aspenlanephotography.com/uploads/1/3/1/3/131381369/7036144.pdf
    • http://papasgotjerk.com/uploads/1/3/0/6/130639764/6219516.pdf
    • http://carpetcleaningfw.com/uploads/1/3/1/3/131382841/bajajosowanag_jetevo.pdf
    • http://dishinthedirtmoms.com/uploads/1/3/0/2/130272880/vumiba.pdf
    • http://easilyoffendedtissuehat.com/uploads/1/3/0/6/130620417/7ff0685.pdf
    • http://lymandesignsvt.com/uploads/1/3/0/4/130483140/bcaeeab6c1.pdf
    • http://afterlifewraps.com/uploads/1/3/0/6/130605149/0a0c7ea09.pdf
    • http://newsyllabus.com/uploads/1/3/0/4/130491181/5926196.pdf
    • http://francoisemathieumillet.com/uploads/1/3/1/3/131381607/c9bf380e6359.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ac7.bin
2487a7e6a2776fa51ca56ef1cb595216f1041f9e628d80983f32980572b87681		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AC7 8420 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.