Malicious PDF — malware analysis report

Static analysis result for SHA-256 bd3e107976a5e7a3…

MALICIOUS

PDF

37.2 KB Created: 2020-03-20 02:54:52 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 27c63bbd3cbb52e275b746f7375a6e9c SHA-1: b73cb6e01e56214eace60309c62cdfa080c0b9ca SHA-256: bd3e107976a5e7a3ca3b31a70b36e9533c9181eaa65a13c62e17736d92216201
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a common tactic for SEO poisoning and directing users to malicious sites. The document body, while containing garbled text, includes a URL that appears to be a lure for financial audit reports. The ML classifier strongly flagged this PDF as malicious, indicating a high likelihood of malicious intent. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://thecandicerose.com/uploads/1/3/0/9/130969681/130969681.html#modelo+de+informe+de+auditoria+a+los+estados+financieros+en+colombia
    • http://reedlibbey.com/uploads/1/3/0/4/130475965/burinoz_solalepukozebi_mapusimubug.pdf
    • http://organizemychaos32960.com/uploads/1/3/0/7/130776439/4732020.pdf
    • http://glamfam.store/uploads/1/3/0/2/130270963/fepezutepad.pdf
    • http://ricksmobilerv.com/uploads/1/3/0/7/130775015/4c31b6.pdf
    • http://mvhc-llc.com/uploads/1/3/0/4/130483871/5051279.pdf
    • http://sengkakmatlopaok.com/uploads/1/3/0/5/130550763/a27e00b.pdf
    • http://301smainneia.com/uploads/1/3/0/6/130605368/4883479.pdf
    • http://pandcra.com/uploads/1/3/0/5/130551095/pulobisozemuge_viregaxa_zatepafilefe.pdf
    • http://www.perimenisdentalgrouponline.com/uploads/1/3/0/5/130589360/wabofiji.pdf
    • http://www.toyota-tacoma.org/uploads/1/3/0/5/130590567/minosumu.pdf
    • http://www.ipc-test-site-4.com.au/uploads/1/3/0/3/130379251/6875866.pdf
    • http://www.malediven-huwelijksreis.nl/uploads/1/3/0/2/130291908/2469271.pdf
    • http://oneanddonemobilespraytan.com/uploads/1/3/0/2/130270843/832cd17a4.pdf
    • http://elrodeomexicanfoodwy.com/uploads/1/3/0/5/130540501/firixixuzoref-rogetuwiguwabub-nugulatidu-megukomenusuxe.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006801.bin
3f3d9e67c9d9d68fd66e466710623a780a4d58cacce3763b3b5f45286c3b8533		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6801 7928 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.