Malicious PDF — malware analysis report

Static analysis result for SHA-256 e48e568f8f786426…

MALICIOUS

PDF

38.1 KB Created: 2020-03-15 06:56:35 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0cf225d662a4d602b76df779ea2e28b5 SHA-1: 03a72c66c7960927d3559f32af91128f142b59d5 SHA-256: e48e568f8f78642648caec7ec3e1b769825c5e6e92e3a54bc8a640daad7a2c8e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document contains a large number of external links, many with numeric or generic slugs, indicative of an SEO link farm or content spamming operation. The document body, though partially corrupted, contains text related to learning to read PDFs for children, which serves as a lure. The ML classifier strongly flagged this PDF as malicious, and the presence of numerous unknown-reputation URLs suggests a distribution or redirection mechanism. No scripts were extracted from this sample.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://pingboguojiguanwang.br3h.com/uploads/1/3/0/6/130620362/130620362.html#aprender+a+leer+pdf+ni%C3%B1os
    • http://target.jropro.com/uploads/1/3/0/7/130776872/xetanazara.pdf
    • http://emmavillesolarfarm.com.au/uploads/1/3/0/3/130312951/suvipise-befinosedane-texubarituvo-xuzideridan.pdf
    • http://hostmaster.ritadewolf.be/uploads/1/3/0/2/130272903/3440819.pdf
    • http://www.kerrybrookfarm.com/uploads/1/3/0/4/130483125/rosuwaxojosez_pubofafanode.pdf
    • http://gohi.eu/uploads/1/3/0/9/130969925/wadoti.pdf
    • http://mobytrack.com/uploads/1/3/0/2/130287799/8049575.pdf
    • http://foundationschurchva.com/uploads/1/3/0/6/130639448/267ebf3d446.pdf
    • http://raycoffee.net/uploads/1/3/0/6/130621019/jexuxiganor-pisojur-rejabujikazurig-wukazedotivudo.pdf
    • http://rhettasreliablelips.com/uploads/1/3/0/7/130775520/3048cdd.pdf
    • http://alondoncollection.com/uploads/1/3/0/7/130738705/pobodizi-buzuxopeta-dofiz.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005dd1.bin
968639a1bbc4693e9960e8c517ef427b7536b2abe0850d7ad8b2445c93882b67		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5DD1 8988 bytes
font_01_sfnt_off00007e66.bin
21173d27a5b58c16d3a6e42c41d325ae5c6f0669c6549af0cdb77135f4151487		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E66 2568 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.