Malicious PDF — malware analysis report

Static analysis result for SHA-256 e731cd3672e4ae12…

MALICIOUS

PDF

34.2 KB Created: 2020-04-11 06:03:00 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 2f364bd8f01cc53b7b2fd28b2b3a2660 SHA-1: 6cd173d6b436e37c24f522b5538f6a74948b7f32 SHA-256: e731cd3672e4ae128043063afda72f13934fed65b3edfe26c338370b32fb40b3
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of external links, many of which are dynamically generated and point to domains that appear to be part of a link farm. The document body mentions 'Wolfteam bedava nakit kp hilesi', which translates to 'Wolfteam free cash kp cheat', indicating a lure for game-related cheats. This suggests the primary purpose is to direct users to malicious websites, potentially for phishing or further malware delivery. The ML classifier strongly supports the malicious verdict.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mhrandlenovels.com/uploads/1/3/1/4/131406140/131406140.html#wolfteam+bedava+nakit+kp+hilesi
    • http://jordantlangdon.com/uploads/1/3/1/4/131437799/luguv.pdf
    • http://americasbestconcretetest.com/uploads/1/3/1/0/131070695/3009484.pdf
    • http://nourchemicals.com/uploads/1/3/0/7/130776503/nutole.pdf
    • http://isrmadison.com/uploads/1/3/0/5/130589360/norifemarezogu.pdf
    • http://blcctables.com/uploads/1/3/1/4/131437615/b088728369095ea.pdf
    • http://securefixscaffolding.com/uploads/1/3/1/0/131070938/35618.pdf
    • http://physicalmindco.com/uploads/1/3/1/4/131411600/mupujaxule_jolorigeti_kiziragijajaral_fumakusupoz.pdf
    • http://trailerboat.net/uploads/1/3/1/1/131163927/3488975.pdf
    • http://eventsbyrd.com/uploads/1/3/0/4/130491752/jimefixaso_jixolazivowe.pdf
    • http://oasisbaypv.com/uploads/1/3/0/4/130475877/009a9d953d0.pdf
    • http://globalafricadiaspora.org/uploads/1/3/0/6/130604626/wupoxetelorediw_zozidari.pdf
    • http://servified.org/uploads/1/3/1/6/131606974/da61e707bc5aa4.pdf
    • http://copperheadind.net/uploads/1/3/0/6/130604642/venewewe_rewuk_takavew.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000059b3.bin
79e1474bad9ede48111d9650f43968c2e64ad7ed9560fda274e081e4109305de		 pdf-font-stream PDF embedded font (sfnt) at offset 0x59B3 9656 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.