Malicious PDF — malware analysis report

Static analysis result for SHA-256 d02eb4dc4148874b…

MALICIOUS

PDF

40.5 KB Created: 2020-05-19 20:10:16 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: f74d7fa9a8e6c776d538f41b4f9f892d SHA-1: 519f6b201293934c977c244dd82b96f2f07a2c0c SHA-256: d02eb4dc4148874b989ce001702b6c184aa3e19743fdb1b20bb1ab0ac183cc92
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, a technique commonly used to create link farms for SEO manipulation or to redirect users to malicious sites. The ML classifier strongly indicated maliciousness. The primary external URI points to a suspicious domain, likely serving as a command and control or distribution point.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://c2cidaho.com/uploads/1/3/1/4/131409098/131409098.html#formule+de+stirling+d%25C3%25A9monstration
    • http://khliinc.org/uploads/1/3/0/5/130589222/lonigigakigutox-nogekimumabur.pdf
    • http://doylestownmedspa.com/uploads/1/3/1/4/131407736/4509065.pdf
    • http://forumdelamixite.com/uploads/1/3/0/2/130288002/bazopovir.pdf
    • http://peterkeilman.com/uploads/1/3/0/4/130488304/xiredaziwa_kazim_bagasezun.pdf
    • http://notyourshop.com/uploads/1/3/1/8/131857334/886308f.pdf
    • http://colormezen.com/uploads/1/3/0/8/130813649/446e5f57.pdf
    • http://adultinsurance.biz/uploads/1/3/1/3/131384214/de343048b.pdf
    • http://kristintaylor.net/uploads/1/3/1/6/131637149/db57c0f355.pdf
    • http://legacyproshops.net/uploads/1/3/0/6/130621836/78a30b80e.pdf
    • http://modsrockers.com/uploads/1/3/0/9/130969385/2883551.pdf
    • http://journeysouthbay.com/uploads/1/3/0/6/130620888/678820.pdf
    • http://thelordcomes.net/uploads/1/3/1/4/131453574/siwuvotowinoteja.pdf
    • http://mothersmilkbankofvirginia.org/uploads/1/3/1/8/131856995/44ddc8e7191f1.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000564f.bin
644a9b9011e714e473f9e1c3d7b64d6145a521e3040aae9736e084eb4ec62bf4		 pdf-font-stream PDF embedded font (sfnt) at offset 0x564F 12488 bytes
font_01_sfnt_off00007f34.bin
10256df74e62201370bfd88535b2a558d8cab1a2728c0a74cea157e67b16909d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7F34 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.