Malicious PDF — malware analysis report

Static analysis result for SHA-256 cf1b17c683533247…

MALICIOUS

PDF

40.3 KB Created: 2020-04-08 02:57:42 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: ce1c69420ec066fb18a774c6d7d3cba6 SHA-1: 0f5e0b6311165c43484d025d743dd4491847f5f8 SHA-256: cf1b17c6835332473589c3729bb4fdb5773a76a22cef36be4e6df8f9b46bf085
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links, a technique often used for SEO manipulation or to distribute malicious content. The ML classifier strongly indicated maliciousness, and the PDF structure suggests it's part of a link farm. No scripts were extracted, but the sheer volume of outbound links points to a malicious intent to redirect or host harmful content.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://immersivesoundexperience.com/uploads/1/3/0/7/130776141/130776141.html#whitfield+cascade+pellet+stove+btu
    • http://kinseyandcompany.org/uploads/1/3/0/6/130621076/3277972.pdf
    • http://sdp.scot/uploads/1/3/1/4/131438275/82fd962aab6b0b2.pdf
    • http://olivia-lang.com/uploads/1/3/0/3/130323888/c5adfd2386e0cf2.pdf
    • http://colourstick.com/uploads/1/3/0/2/130289365/xazabite-xuxiwojub-ponasovev.pdf
    • http://capiteg-icorp.com/uploads/1/3/1/0/131070652/7347325.pdf
    • http://layoverinparistours.com/uploads/1/3/1/1/131164136/tokipipipegi_mopofig_fusukazogoxido.pdf
    • http://dirtbustersinspain.com/uploads/1/3/0/8/130874501/kizusud-selifebamedu-sofisazewuziluf-molasizoduzas.pdf
    • http://trashintransit.org/uploads/1/3/1/3/131383760/6343122.pdf
    • http://kashpoker.net/uploads/1/3/0/7/130738847/vubelazutiriwu-nexolazapefox-letizaz.pdf
    • http://580774685565887697.com/uploads/1/3/1/3/131378791/kivejepinokak.pdf
    • http://cenovelcritiques.com/uploads/1/3/0/5/130540824/panikebivewiwe.pdf
    • http://greatervancouverroofing.com/uploads/1/3/0/6/130621622/5968257.pdf
    • http://callstephanierealtor.com/uploads/1/3/0/5/130588795/5aed7907b9c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000072f6.bin
fb6a4fadb1df067c281a515a0e4617d0e7b1bff429ec5d19b138600352a3ffa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x72F6 8704 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.