Malicious PDF — malware analysis report

Static analysis result for SHA-256 d20bbc1832dfdab1…

MALICIOUS

PDF

123.3 KB Created: 2020-04-13 21:27:18 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: eda5dc55b19b586b06c60a6d4e1c57a5 SHA-1: 72a1a6ee3c53a12b35580f781f74b2f4f1e14c57 SHA-256: d20bbc1832dfdab1f1f13aaba9ec251b2919fbbd09f21972b68f008f2b406680
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numerically or generically named, suggesting a link farm or SEO poisoning tactic. The document body, though heavily obfuscated, contains references to 'Cartoon tom and jerry 2018' and the wkhtmltopdf application, which is often used to generate PDFs from web content. The primary goal appears to be directing users to a network of suspicious websites.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9996

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://cliffordgenomics.com/uploads/1/3/1/3/131381243/131381243.html#cartoon+tom+and+jerry+2018
    • http://mymvmtpods.com/uploads/1/3/0/8/130814112/jukopufipagojupeboxi.pdf
    • http://rogerzimmermanlawfirm.com/uploads/1/3/0/5/130538949/libudiw-bavibolup-vozubedep.pdf
    • http://tanveerzamani.com/uploads/1/3/1/3/131398542/20f278f838dbb4.pdf
    • http://blackbarmfg.org/uploads/1/3/0/2/130288401/29a57332fef7766.pdf
    • http://cancuninmueble.com/uploads/1/3/1/3/131383309/zizoxuwabinufi-detekelitomiboj-jisibine-dalemufona.pdf
    • http://dallaswindowwasher.com/uploads/1/3/0/5/130589276/liretenobur.pdf
    • http://from-benefits-to-billions.com/uploads/1/3/0/7/130776182/sevowiz.pdf
    • http://battlefielddarts.com/uploads/1/3/0/5/130590507/f2f0a2d52546d.pdf
    • http://funeral-booking.com/uploads/1/3/1/3/131379510/xozipisititej-vivedodatizot.pdf
    • http://marcellebalt.com/uploads/1/3/0/5/130550711/fezapovetag.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001825f.bin
6af066b70477fb40628c76fc852798ec33553d53d32a18bb12cc3a9c21f03ef1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1825F 11444 bytes
font_01_sfnt_off0001a851.bin
096f0b4ec2643d2175d334e869641751687dfd0f17338fab8d8bf17fbce902c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A851 10884 bytes
font_02_sfnt_off0001cbb0.bin
1a48559509f7f75063a877bee3d72c2f3225c728dd953cebf65f9a5167f6cbd7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CBB0 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.