Malicious PDF — malware analysis report

Static analysis result for SHA-256 c22c830b587f1dbe…

MALICIOUS

PDF

67.5 KB Created: 2020-04-20 00:52:14 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: cd09b0965b8d4e386cc4a4711a4de30f SHA-1: ea3e53dd45c064dcc0d9f67659a9dc0010b8c394 SHA-256: c22c830b587f1dbeb99e1df5826f3c883f8d62de99ab3bebda8e577b7da2c4ee
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains a large number of external links, many of which are numerically or generically named, suggesting a link farm or SEO poisoning tactic. One prominent link, 'http://trysurely.com/uploads/1/3/1/4/131438245/131438245.html#amazon+prime+video+series+free', is presented as a lure related to streaming services. The ML classifier strongly indicated maliciousness, and the sheer volume of outbound links points to a malicious distribution or redirection scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://trysurely.com/uploads/1/3/1/4/131438245/131438245.html#amazon+prime+video+series+free
    • http://hciorder.ca/uploads/1/3/0/6/130605001/jonokarugodiremizev.pdf
    • http://offsitestorageatlanta.com/uploads/1/3/0/4/130488312/karurexa.pdf
    • http://oldmanmickstudios.com/uploads/1/3/1/4/131453454/ratafe.pdf
    • http://cmcflourguam.com/uploads/1/3/0/4/130493968/8255638.pdf
    • http://katletki.com/uploads/1/3/0/2/130289256/4863579.pdf
    • http://thegreatmindsbookclub.com/uploads/1/3/1/4/131407010/d9706ebdb152.pdf
    • http://arenju.com/uploads/1/3/0/4/130488565/mezijobibodokus_furopixezawu.pdf
    • http://missbrunosclassroom.com/uploads/1/3/0/6/130604286/8078b2.pdf
    • http://brunosauto.net/uploads/1/3/1/3/131380641/f8c91.pdf
    • http://wonderwagonwv.com/uploads/1/3/0/2/130287875/2a171c.pdf
    • http://procapitex-grp.com/uploads/1/3/0/7/130775126/1715419.pdf
    • http://idutur.org/uploads/1/3/0/5/130588893/6054211.pdf
    • http://canlessairpricing.com/uploads/1/3/0/4/130490774/79b780332.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e29b.bin
4ddf3cc93d10be09e2bbe77975986ae4afdc0b783ca895a83564646d3aa272e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE29B 8324 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.