Malicious PDF — malware analysis report

Static analysis result for SHA-256 d7ba1a2454dcd32c…

MALICIOUS

PDF

142.7 KB Created: 2020-06-03 15:01:10 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: dcb122a8293363df6c93184429bcf486 SHA-1: 64479464e2118b8ffbb8a8d415dd41e40e2de788 SHA-256: d7ba1a2454dcd32c4dbdf7d70e8c01fbea563a0171d6e9d7f26fd5718f277e73
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, suggesting a link farm or phishing attempt. The document body, though partially obfuscated, includes a URL that aligns with the detected external links. The ML classifier also flagged the PDF as malicious.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9670

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://jansuniqueboutique.net/uploads/1/3/0/3/130323255/130323255.html#o+melhor+nome+para+free+fire
    • http://westbrookwillow.com/uploads/1/3/1/4/131483520/7488848.pdf
    • http://swingsocalleft.com/uploads/1/3/1/8/131856373/satidu-siwuma.pdf
    • http://ns2.anythingtech.org/uploads/1/3/0/4/130491932/a793e055d4fe.pdf
    • http://ldnsoccerblog.net/uploads/1/3/0/6/130603802/tunebode.pdf
    • http://projectindianbeauty.com/uploads/1/3/0/6/130639347/takenute.pdf
    • http://andreahorton.com/uploads/1/3/0/6/130639653/zedogifam.pdf
    • http://constructionjlp.com/uploads/1/3/1/3/131379253/192496.pdf
    • http://jansuniqueboutique.net/uploads/1/3/0/3/130323255/terms.html
    • http://jansuniqueboutique.net/uploads/1/3/0/3/130323255/dmca.html
    • http://jansuniqueboutique.net/uploads/1/3/0/3/130323255/policy.html
    • https://minuboge.files.wordpress.com/2020/05/birosokivizepigufalamago.pdf
    • https://kipevofi.files.wordpress.com/2020/05/mawiki.pdf
    • https://gaminir.files.wordpress.com/2020/05/mekarokugugikoroguzegape.pdf
    • https://jowifigubug.files.wordpress.com/2020/06/82472898998.pdf
    • https://tosejikoleku.files.wordpress.com/2020/06/xupunuwaganafipovet.pdf
    • https://petogol.files.wordpress.com/2020/06/38208053172.pdf
    • https://tejigag564805948.files.wordpress.com/2020/06/14973591091.pdf
    • https://rogofuxeviso.files.wordpress.com/2020/06/27913995447.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 17

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000079a4.bin
957fbd870e7757fbff4741aa688efa9676b0aed6b7e0357280ab9ac7902941f1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79A4 8336 bytes
font_01_sfnt_off00009002.bin
247f27b0a35dde8b9ff68ae8bb9a10fab929eed7de77815ecff4642ed5e2c8b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9002 6048 bytes
font_02_sfnt_off0000a20e.bin
85cfd8dfb63684f3b4794033de934146399445051d07a6ad4e0630f53ded901f		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA20E 6400 bytes
font_03_sfnt_off0000b1cc.bin
bd832bd723db0b7ae40ad5313050d01f3ba9b37d3fb11709cbf525a22da3bdb7		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB1CC 20748 bytes
font_04_sfnt_off0000d106.bin
ae48814ce05fd4eb279d870ee655ec6df2eb9beb97d71f3ad8c081abf6d86562		 pdf-font-stream PDF embedded font (sfnt) at offset 0xD106 11508 bytes
font_05_sfnt_off0000e9d0.bin
ca53eb321483cf790c533d291fc32837c18ae0e4cbe43e95bf3728eee76e85ce		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE9D0 109576 bytes
font_06_sfnt_off00015d91.bin
9d0f921a9b832787d3bf08e687f88da965982c877964cf36f262a3930082bec8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x15D91 2512 bytes
font_07_sfnt_off000167c5.bin
dbfbd3d6c110b302aa603947315391d08a2355aa45ab0d0f5c40d384f132c9b9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x167C5 2792 bytes
font_08_sfnt_off0001723c.bin
5b0cce7f2f2919facef050ecd749c22a8f4762cf551b8a9c6eff03901b89162d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1723C 2684 bytes
font_09_sfnt_off00017c59.bin
b010e284ec0e815c5839b0408a8b174efbbca622bc54f8904f7a2c07c731648f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x17C59 2392 bytes
font_10_sfnt_off000185fe.bin
a49bd1939e0a34d4a459f45468bc55752325fe4087b55c1b1ab666402e900fa5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x185FE 5852 bytes
font_11_sfnt_off000194b8.bin
a1a44815be605a2a54d4824d9f957caefae1925f0b3cb83e50fcf1f69b2fc6db		 pdf-font-stream PDF embedded font (sfnt) at offset 0x194B8 2660 bytes
font_12_sfnt_off0001a02b.bin
8eb1226f2fb8b4c6537a8fcf2e12b28f6c3fe2dd489eba0f501c43387630a2eb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1A02B 3736 bytes
font_13_sfnt_off0001ab8e.bin
ea3837b48489d85a80165d04e1102bbdc4b0e7f05c35157c4f8c30bace7549d6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1AB8E 15072 bytes
font_14_sfnt_off0001d982.bin
c78ba66b4af2b3f94b468bbd2f0f967ed34c689263bb55db57c7e213154ef16c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D982 25644 bytes
font_15_sfnt_off00020be2.bin
0a7473fb14eddb12d038b24f3280f1c7c69ca5b4d0951d03b8fdf5797f82a50e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x20BE2 6476 bytes
font_16_sfnt_off00021c51.bin
cbf963578e75b9aacf325d4cb8886add95295f75d403c23be7413186f676fda5		 pdf-font-stream PDF embedded font (sfnt) at offset 0x21C51 2072 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.