Malicious PDF — malware analysis report

Static analysis result for SHA-256 bb7cdc62fd457f84…

MALICIOUS

PDF

53.1 KB Created: 2020-04-15 21:21:54 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: e17eaba0d92cbf02a099547913673412 SHA-1: 827cdf62dec27bd80132809b880a74025ebc436f SHA-256: bb7cdc62fd457f843cf6c35a8ab1cc7238ac0428c66186aaeca0cf0a81aa4dce
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to seemingly unrelated domains and follow a pattern of numeric slugs, indicating a link farm for SEO manipulation or malware distribution. The document body, though heavily obfuscated, contains a URL that is also present in the heuristics, suggesting it is a primary lure. The ML classifier strongly flagged this PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pragueprivatetransfers.com/uploads/1/3/0/2/130270898/130270898.html#heat+resistant+baking+sheet
    • http://socreation.fr/uploads/1/3/0/3/130379635/jiwejijufazip_puxejo_sujuzax_leletamebej.pdf
    • http://eyezlowapparel.com/uploads/1/3/1/4/131406154/xezejimixitulusukik.pdf
    • http://information-packet.com/uploads/1/3/0/7/130738854/0f32a5.pdf
    • http://jonesfamilyweekend.com/uploads/1/3/0/4/130483290/muluwiwesiluko.pdf
    • http://fhockeyskillz.com/uploads/1/3/0/2/130289773/8522983.pdf
    • http://evilgiant.com/uploads/1/3/0/7/130776201/9d135dc448ffe8.pdf
    • http://curatingempathy.com/uploads/1/3/1/4/131437636/f200ca.pdf
    • http://figticiouscatering.com/uploads/1/3/0/7/130739621/jeguboforogab.pdf
    • http://tasteofsalt.net/uploads/1/3/1/3/131382841/4d045ae615e7b.pdf
    • http://bandbautospa.social/uploads/1/3/0/8/130814584/nivekebolomadafafo.pdf
    • http://popup-brooklyn.com/uploads/1/3/0/6/130605442/27773e92939d.pdf
    • http://priscillas.org/uploads/1/3/0/2/130287482/887562.pdf
    • http://christellemmen.com/uploads/1/3/0/5/130539046/d108ef84bd7f37e.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000097cb.bin
1f352b2892e26d926fd03248d8e87bc2f59b193e66ecb15847d059a5c9fa470c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97CB 6972 bytes
font_01_sfnt_off0000b35c.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB35C 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.