Malicious PDF — malware analysis report

Static analysis result for SHA-256 b871b9c95274cb6a…

MALICIOUS

PDF

52.8 KB Created: 2020-03-24 02:08:17 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: f271aa429dba41cc23a062a24d32eaef SHA-1: d3776f822c39e9d503d309b1cbd02ff6eaaa9c0a SHA-256: b871b9c95274cb6a27fe1a16aeddbf588df1307ebc1168a3e856173624d30a62
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document was flagged by an ML classifier as malicious. It contains a large number of external links, indicating a potential link farm or a method to distribute further malicious content. The document body itself is largely unreadable, but the presence of numerous URLs suggests a deceptive or manipulative purpose, possibly related to SEO spam or redirecting users to malicious sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://magicaladventurestravelbystacy.com/uploads/1/3/0/7/130776561/130776561.html#curvas+de+nivel+mapa+en+ingles
    • http://zhiboyule.chinasummercamp.org/uploads/1/3/0/3/130379299/6238200.pdf
    • http://menfixed.com/uploads/1/3/0/5/130590279/xuvagi.pdf
    • http://danaglasenapp.com/uploads/1/3/0/2/130273845/lelax-fademafofi-levurib-logeselaxomipu.pdf
    • http://food.work/uploads/1/3/0/4/130435601/5955772.pdf
    • http://jefflinder.net/uploads/1/3/0/5/130542953/9128803.pdf
    • http://www.homevisitcomputers.com/uploads/1/3/0/7/130775848/6eee981191.pdf
    • http://latolaw.com/uploads/1/3/0/6/130620989/ledutukopujude.pdf
    • http://ahstigerband.org/uploads/1/3/0/5/130543766/9d4c8.pdf
    • http://haconcrete.com/uploads/1/3/0/7/130740264/9627242.pdf
    • http://www.nextlevelelite.org/uploads/1/3/0/6/130620490/limaboxixate_fisijoliku.pdf
    • http://treeservicedecatur.com/uploads/1/3/0/2/130272909/rekubiju-gonixifesuwij-nelibizuf-fokis.pdf
    • http://www.pennymayobrien.com/uploads/1/3/0/8/130874297/5ac1837.pdf
    • http://hendersonbands.org/uploads/1/3/0/5/130538838/7388778.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a57.bin
eaa5e58e7bfe5c871abd4dacb857edc33742ed52e0117107c39f459b43b2b3d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A57 10024 bytes
font_01_sfnt_off00009bee.bin
b64d6741cfec0aad0865d017b05e0e1fb7b4a6100249b802a3843c97d8d05181		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9BEE 4552 bytes
font_02_sfnt_off0000aa83.bin
ff1df49bd8d3d9b5afa455194efb1aa37027ce0918a16f3888c56904caa4a7b5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAA83 17156 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.