Malicious PDF — malware analysis report

Static analysis result for SHA-256 bf0a491be77e2618…

MALICIOUS

PDF

42.5 KB Created: 2020-05-15 10:39:32 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: e6010dc196c8dee71f82b792c877a772 SHA-1: 87f596a15f72abb2268c763b7d4d1d54ce5cab91 SHA-256: bf0a491be77e2618ea76ada9eac4ce0d4033d82643dac0a2476cc8388983de1b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which appear to be part of a link farm. The ML classifier strongly indicated maliciousness. The document body text, though partially garbled, contains URLs that are also listed in the heuristics, suggesting these links are central to the document's purpose. The primary attack pattern appears to be SEO manipulation or hosting malicious content via a network of compromised websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jennamccabe.com/uploads/1/3/0/4/130483587/130483587.html#apprendre+le+fran%25C3%25A7ais+de+communication+professionnelle+pdf
    • http://aceprofessional.net/uploads/1/3/1/6/131606360/kavikixalanu_xokum_kaxeso.pdf
    • http://nfstore.net/uploads/1/3/0/5/130545565/3575932.pdf
    • http://northernvocalcoaching.com/uploads/1/3/1/3/131380944/dc63a10e69fb3b.pdf
    • http://eygcosmetics.com/uploads/1/3/0/6/130621447/sobezafepulof.pdf
    • http://apismellifera2.com/uploads/1/3/1/6/131606118/913321.pdf
    • http://worldtravelsage.net/uploads/1/3/1/4/131410399/6ac2ef2edfef40b.pdf
    • http://cctiedye.com/uploads/1/3/0/8/130813582/jefabipo-moxujodilose.pdf
    • http://oddbutterflies.com/uploads/1/3/1/3/131379371/rifofo-lanid-dixukuzesuz-jupirivi.pdf
    • http://type1trainer.com/uploads/1/3/0/2/130288599/ecf48f960780a8.pdf
    • http://thesuccesssquad.net/uploads/1/3/1/8/131856394/1d4374f.pdf
    • http://lifestylebycourtneyhale.com/uploads/1/3/0/6/130639147/punonusoz-rideju.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005b47.bin
892d0924b43b2b28913fd6a20ea8f49ef4b8a1a02d3fafcb23cb5b182ca4eba2		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5B47 12768 bytes
font_01_sfnt_off0000830d.bin
7a1c3a1409cadba5655e718208952661d75bb35cb30a5ac3e370bea4f6b7683e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x830D 17436 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.