Malicious PDF — malware analysis report

Static analysis result for SHA-256 d63bccaf0715a234…

MALICIOUS

PDF

37.8 KB Created: 2020-06-21 18:52:58 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 3529a333a58494915002d6698f40c5a1 SHA-1: 6f8e1b64336cf1fe69cb027c2ffcbbd68578a3ed SHA-256: d63bccaf0715a23415e440386a8d932680bbc2684704579cc935b2f0cf7d35eb
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF contains numerous external links, many of which are part of a link farm designed to appear as legitimate resources, such as free textbooks. The ML classifier strongly indicates maliciousness. The primary lure appears to be 'Medical textbook free', directing users to a suspicious URL. The presence of multiple SEO-optimized PDF links suggests an attempt to distribute further malicious content or conduct phishing operations.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://minursespac.com/uploads/1/3/0/8/130873987/130873987.html#medical+textbook+free
    • http://hostmaster.firstumcds.org/uploads/1/3/0/5/130551543/7786050.pdf
    • http://mta-sts.mail.henryssports.com/uploads/1/3/0/7/130776885/2022362.pdf
    • http://reverse-recruit.com/uploads/1/3/1/3/131379514/d31b26ba.pdf
    • http://hostmaster.haus-arrez.com/uploads/1/3/0/7/130739729/xubiriguwixene-bimuwa-fixenojorinok.pdf
    • http://en.atmajothy.com/uploads/1/3/0/8/130874326/6731996.pdf
    • http://chrismerbler.com/uploads/1/3/0/3/130379409/6432555.pdf
    • http://mta-sts.mail.minnesotaflyfishing.com/uploads/1/3/1/4/131438682/6076489.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000569a.bin
8bcecab431831b7a96654434e2c9fd20faf05c17069aed6e37aac505ee4b9f95		 pdf-font-stream PDF embedded font (sfnt) at offset 0x569A 4796 bytes
font_01_sfnt_off00006700.bin
f5d7c6225e6fd771d09dbd11d72be6e05bfddfc5e6df6257bc72609e75fe5b73		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6700 10788 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.