Malicious PDF — malware analysis report

Static analysis result for SHA-256 dd0e8d5322072077…

MALICIOUS

PDF

41.4 KB Created: 2020-05-18 12:22:37 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 1f35f425fb459aedc3e26df946410486 SHA-1: c71aa9abf48e436fc0ded284c74fe58b1a065fa4 SHA-256: dd0e8d53220720777750e01d63a5c70bcf980859ab402a748ce4262ef29cb947
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to similarly structured URLs on different domains. This behavior is indicative of a link farm or redirection scheme designed to lead users to potentially malicious content. The ML classifier strongly flagged this PDF as malicious, supporting the assessment that the embedded links are intended for malicious purposes rather than legitimate educational content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9969

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://merrionpage.com/uploads/1/3/0/4/130476747/130476747.html#exercice+vocabulaire+g%25C3%25A9om%25C3%25A9trie+cm2
    • http://danahalllcpc.com/uploads/1/3/0/5/130543682/lonexazadupuf.pdf
    • http://capacitylive.co/uploads/1/3/1/3/131398605/6783921.pdf
    • http://randymayfield.net/uploads/1/3/1/4/131453256/guxofanevamu.pdf
    • http://myblackenterprise.com/uploads/1/3/0/7/130739751/1bbd15f2dbe0b.pdf
    • http://ameliatseng.com/uploads/1/3/1/3/131398547/2436165.pdf
    • http://withgom.com/uploads/1/3/0/8/130814353/fibuga-kabifasebipif-jawugodudajo-bilomovolawid.pdf
    • http://lifereflectionsbykaren.com/uploads/1/3/0/5/130545985/2134120.pdf
    • http://himeslawoffice.com/uploads/1/3/0/6/130604512/610506.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005476.bin
2e3af33663d03ec9a00a2230504bb9e8f98e67bd55fe1d0bcc4ef3f4c4b957b0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5476 1696 bytes
font_01_sfnt_off00005c9d.bin
31290eb4c44b09b819b208ccf46825bff2270dbf35e3698986871d6e4c1ce847		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5C9D 11412 bytes
font_02_sfnt_off000081f1.bin
f640c368cc16fe144e85cddae2582b6df2eca48843d873c01cbaa625c9225b76		 pdf-font-stream PDF embedded font (sfnt) at offset 0x81F1 16320 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.