Malicious PDF — malware analysis report

Static analysis result for SHA-256 b4404374306d300f…

MALICIOUS

PDF

56.5 KB Created: 2020-04-29 06:51:35 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 239d845271da27a9bc1a7eaa2b26d136 SHA-1: 63f3e09e1da19ce76d4d8e7b4033e1d1a9aeff2a SHA-256: b4404374306d300fcfb3200834c108d28601fd343ca71d20f22bdcd117a1b96c
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or redirection scheme. The ML classifier strongly flagged this PDF as malicious. The document body, though heavily obfuscated, contains a URL that is part of this link farm. This pattern suggests the PDF is used to drive traffic to these external resources, which could host further malicious content or phishing lures.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://lisaungerbuehler.com/uploads/1/3/0/6/130620207/130620207.html#osaka+street+food+guide
    • http://plussizebridalsnh.com/uploads/1/3/1/4/131437548/877ab01ff4f3bf.pdf
    • http://theafflatusexperience.com/uploads/1/3/0/2/130289345/gagijiduvakimaloxo.pdf
    • http://feldenkraisontour.com/uploads/1/3/0/4/130483299/00e524130278.pdf
    • http://davidburchonline.com/uploads/1/3/0/8/130814877/cb5f1e099b7b09.pdf
    • http://connecticutairhotel.com/uploads/1/3/0/5/130551208/113622.pdf
    • http://focusphotography.org/uploads/1/3/0/8/130874090/ripomajoguremu.pdf
    • http://vansrv7a.com/uploads/1/3/0/9/130969624/0b9cf6b6b.pdf
    • http://yulyphotography.com/uploads/1/3/0/2/130291471/1616797.pdf
    • http://onboardforacure.com/uploads/1/3/0/5/130590561/5757796.pdf
    • http://jtrhomeservices.com/uploads/1/3/0/4/130489331/defabe.pdf
    • http://michaelroll.net/uploads/1/3/1/4/131483266/72fad62.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000b40f.bin
8d010cde520660432d8ab225ae96d4361245e10b4efc206b6584b31880ee3263		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB40F 8816 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.