Malicious PDF — malware analysis report

Static analysis result for SHA-256 ccc69b0df8b9d5c4…

MALICIOUS

PDF

39.4 KB Created: 2020-03-13 02:31:35 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3922b1c8312f8a9ce5aede12be3ceab3 SHA-1: 79df1e427e8f26ae151fcbe1fc25f618b8004866 SHA-256: ccc69b0df8b9d5c4c5b8e41ff9eff7b1bc92f65b6dd53a56384f67f84426589f
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to various domains, a technique often used for SEO manipulation or to distribute further malicious content. The ML classifier strongly indicated maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a link farm. The embedded URLs likely serve as the primary mechanism for delivering the malicious payload or redirecting users to phishing sites.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://urfacefix.com/uploads/1/3/0/7/130775939/130775939.html#trane+centrifugal+chiller+modbus
    • http://viel.co/uploads/1/3/0/4/130483507/7123933.pdf
    • http://sunniesclothing.com/uploads/1/3/0/6/130639567/xedefebenogepogu.pdf
    • http://thaipin.com/uploads/1/3/0/7/130739029/botev.pdf
    • http://sharkhunterapparel.com/uploads/1/3/0/8/130814280/34637f45.pdf
    • http://kyleelizabethkessler.com/uploads/1/3/0/7/130776886/2315570.pdf
    • http://dreamhomesllc.net/uploads/1/3/0/7/130739573/7172522.pdf
    • http://www.yoursweetjoy.ca/uploads/1/3/0/3/130313585/9edc6b6a982d7b1.pdf
    • http://vodajulijana.si/uploads/1/3/0/5/130588948/7378409.pdf
    • http://josephinetemple.com/uploads/1/3/0/6/130640013/1840710.pdf
    • http://firewallyourwallet.com/uploads/1/3/0/6/130621480/9387380.pdf
    • http://liquorlawsvt.com/uploads/1/3/0/6/130639532/kabeziveda_mavufuw_lepevas_sarifubuzik.pdf
    • http://collinsconcepts.net/uploads/1/3/0/7/130776299/2744409.pdf
    • http://gogotrain.eu/uploads/1/3/0/7/130739615/8425835.pdf
    • http://lauralemay.net/uploads/1/3/0/6/130620902/xefubefuj.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e41.bin
824951789c4eaf29a6c59ac9b8fbf5de45dfae8624d5e08dbba318acf66b0418		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E41 8540 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.