Malicious PDF — malware analysis report

Static analysis result for SHA-256 c0b3abb9cc75f3a3…

MALICIOUS

PDF

42.4 KB Created: 2020-11-09 10:42:22 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7a1e5a8b7b1ccec28f0e9995ba567e4c SHA-1: 5a15c6d5f15cd80e1527964fd4b3f6820a7b9248 SHA-256: c0b3abb9cc75f3a3e12fefe1dbf76259f2c38beb01b0cfb665208e414132c40b
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many pointing to other PDFs, suggesting a link farm or SEO manipulation tactic. The document body, though heavily obfuscated, contains text related to 'letter of introduction for student teaching' and includes URLs that are likely part of this scheme. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a mass external link farm.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://traffset.ru/aws?keyword=letter+of+introduction+for+student+teaching
    • https://cdn-cms.f-static.net/uploads/4366620/normal_5fa271e625168.pdf
    • https://gadevonetikob.weebly.com/uploads/1/3/4/3/134358307/tupafok.pdf
    • https://temazojirilezin.weebly.com/uploads/1/3/2/3/132302863/xepunokim_fesepob_rupasow_kelubofuz.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://s3.amazonaws.com/dazifozixawus/mipem.pdf
    • https://s3.amazonaws.com/divelatoxa/lorizovonolosojasubeko.pdf
    • https://vipidagus.files.wordpress.com/2020/11/34078578093.pdf
    • https://s3.amazonaws.com/sorogamat/33643026817.pdf
    • https://s3.amazonaws.com/kizugokofo/zewezesixewixafew.pdf
    • https://s3.amazonaws.com/fumiposamisur/sazivigonadebitexep.pdf
    • https://sukilof.files.wordpress.com/2020/11/az_900_dumps_free.pdf
    • https://s3.amazonaws.com/kufazete/juzudirupu.pdf
    • https://s3.amazonaws.com/tigovatolis/belajar_bahasa_korea_file.pdf
    • https://popikelurelu.files.wordpress.com/2020/11/how_to_draw_warrior_cats.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066fc.bin
089b6ef3518a5b8c85d5838182ffc1ed0daed0a789a6af353b3980c37e352d29		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66FC 5192 bytes
font_01_sfnt_off000078ae.bin
771b9ec581e64343474b708ef96736ef6446fb32bb8e8f8ac887584679bbc744		 pdf-font-stream PDF embedded font (sfnt) at offset 0x78AE 10820 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.