Malicious PDF — malware analysis report

Static analysis result for SHA-256 ceeaf7008cb14473…

MALICIOUS

PDF

43.7 KB Created: 2020-05-04 00:10:55 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3288a918b1a97bce3a7a1f0583ed440c SHA-1: cc46e6f1183d7dce0115590e71fe5cc681296660 SHA-256: ceeaf7008cb144732d02c9e7f9e33e67284afaa3863ef95a03b6ca550c27158e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various domains. The ML classifier also flagged this PDF as malicious with high confidence. The document body contains a mix of seemingly random text and URLs, suggesting it's designed to appear as content while primarily serving as a distribution point for other malicious files or for SEO manipulation. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://offplandubai.properties/uploads/1/3/0/6/130620590/130620590.html#banjara+video+song+free++mp4
    • http://cbatees.com/uploads/1/3/0/6/130604651/bb262b.pdf
    • http://chelsealipocky.com/uploads/1/3/0/3/130323672/lopuki_vakapuge_paxag_bewoxemevakuf.pdf
    • http://brightxpressions.com/uploads/1/3/0/5/130588451/fewodujefa.pdf
    • http://meganrundelphd.com/uploads/1/3/0/2/130271209/7788914.pdf
    • http://adentaperu.com/uploads/1/3/0/5/130588337/tomubip.pdf
    • http://sunflowervalleyboutique.com/uploads/1/3/1/3/131378898/8791573.pdf
    • http://oceansideinnva.us/uploads/1/3/0/5/130588493/semakupaxemuga.pdf
    • http://lauren-pritchard.com/uploads/1/3/0/7/130739827/3081687.pdf
    • http://rianach.com/uploads/1/3/1/4/131410662/d951bd05.pdf
    • http://virtualdigitalbank.net/uploads/1/3/1/4/131437977/vuwebunekigutikiruxu.pdf
    • http://severinlawoffice.com/uploads/1/3/0/4/130488578/kuwawawudu.pdf
    • http://thequeensofheart.love/uploads/1/3/0/3/130313169/b5542c9.pdf
    • http://aussiewildlifeshow.com/uploads/1/3/1/4/131453201/c667361.pdf
    • http://eonwriter.com/uploads/1/3/0/3/130379902/namofidoduraz.pdf
    • http://eonwriter.com/uploads/1/3/0/3/130379902/namofido
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006e73.bin
f9070894e3a83e1353b6a232f3f75fba158fe2699bc631e5bd256ef9822dd614		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6E73 11132 bytes
font_01_sfnt_off00009494.bin
2bb8d971068d6360699db087ff865e0441b1e2b374434a4a9182642d12176bd9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9494 4124 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.