Malicious PDF — malware analysis report

Static analysis result for SHA-256 c80fff3e538bfc6c…

MALICIOUS

PDF

45.9 KB Created: 2020-03-25 09:40:11 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 08987d154e62389c9209d8e12e532b2a SHA-1: dd835e2f9e2cd0e36c60e05595897b2fb2a9177e SHA-256: c80fff3e538bfc6c76623c1ce4d7f53ebbbc6d5794d03fdce772e00e04a2c6fe
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which appear to be part of an SEO link farm. The ML classifier strongly indicated maliciousness. The primary attack pattern involves directing users to external URLs, which could host further malicious content or phishing pages. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://myytr.net/uploads/1/3/0/3/130313005/130313005.html#como+es+un+ensayo+expositivo
    • http://www.know-ing.com/uploads/1/3/0/4/130476908/6503332.pdf
    • http://creatingamindfullife.com/uploads/1/3/0/3/130313500/vazerosenobo.pdf
    • http://52529.atkhn.com/uploads/1/3/0/4/130476649/nefako.pdf
    • http://hudsonvalleymemoir.com/uploads/1/3/0/7/130775126/954f82.pdf
    • http://shopbumpandco.com/uploads/1/3/0/6/130639770/bawinekuguta-xiduvaxeva.pdf
    • http://cryptomorphica.com/uploads/1/3/0/3/130323884/1f15a10147a.pdf
    • http://thegrowingseedsoflove.org/uploads/1/3/0/6/130604044/6110201.pdf
    • http://dns.pineforgesc.com/uploads/1/3/0/2/130270938/161390.pdf
    • http://www.retail-row.com/uploads/1/3/0/8/130815097/ditanabiduruz_vuwipixon_kododi.pdf
    • http://nickmofoto.com/uploads/1/3/0/4/130488197/kokuleresoxevibavane.pdf
    • http://abesoutfitters.com/uploads/1/3/0/6/130604423/3078648.pdf
    • http://wfhaysfamilymedicine.com/uploads/1/3/0/5/130588589/e0d93b926795fb1.pdf
    • http://nikkibloomcreationz.com/uploads/1/3/0/7/130776873/fubuxe.pdf
    • http://runsquadopo.org/uploads/1/3/0/6/130640013/bixaxevex.pdf
    • http://americanfamilygolf.us/uploads/1/3/0/4/130436441/7042704.pdf
    • http://danceonproductions.com/uploads/1/3/0/6/130604333/47af05fa29471.pdf
    • http://honeyheavenbees.com/uploads/1/3/0/5/130588366/fegilapefodo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072d9.bin
bf8eacd383b58f1faf07db34f27c75dca5f9cb6ffe8a21495e320994753ed361		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72D9 9228 bytes
font_01_sfnt_off000093a6.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x93A6 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.