Malicious PDF — malware analysis report

Static analysis result for SHA-256 c5d767acb80e0ccc…

MALICIOUS

PDF

29.9 KB Created: 2020-04-10 22:46:03 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: c903dd4f8514d0da2260ff2093727efc SHA-1: 3fecd0182064329d4cccc377fa0ffc202edfaaa8 SHA-256: c5d767acb80e0ccc1c0bcb52bda11396a738c81cd1dbac09047180d40055b84c
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links, many of which are hosted on newly registered domains and appear to be part of a link farm. The document body references a 'leaked video' to entice clicks. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of numerous external links, suggesting a drive-by download or phishing attempt.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9992

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://minnocare.com/uploads/1/3/0/6/130639281/130639281.html#sonakshi+sinha+mms+video+leaked
    • http://testfimba.com/uploads/1/3/0/5/130589058/wogidubikoned-jubolusapovi-jamit-mupujunilulawer.pdf
    • http://vigilantstorage.com/uploads/1/3/1/0/131071167/zezazijejejakafofona.pdf
    • http://jbrinkmann.com/uploads/1/3/0/3/130379151/1207133.pdf
    • http://desiredestinations.net/uploads/1/3/1/3/131398143/8336587.pdf
    • http://ukecigstorez.com/uploads/1/3/0/4/130489342/mizuvisuvinobu.pdf
    • http://truepremisesoflife.com/uploads/1/3/0/4/130490399/0070f.pdf
    • http://zollthai.com/uploads/1/3/0/9/130969833/1d07b55c87.pdf
    • http://conroeconcretecompany.com/uploads/1/3/0/8/130813800/8993980.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000500a.bin
5f2f69a58d09da74ca542c99426f685372f3979f1e80e31a6893a38f4e3d474f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x500A 7180 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.