Malicious PDF — malware analysis report

Static analysis result for SHA-256 e8ba76cdd0cfab6f…

MALICIOUS

PDF

33.3 KB Created: 2020-04-22 02:55:44 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0b769343312e29341a752aaa8901a0bd SHA-1: 42eb66fd97168bcf0fe1a3d1adbbaf452a5a7ce9 SHA-256: e8ba76cdd0cfab6f14a9d3f72c44778b9a5698f644b10887374b41624480ea8e
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF documents on different domains. The ML classifier also flagged this PDF as malicious with high confidence. The primary attack pattern appears to be a link farm designed to distribute or redirect to other malicious content, rather than containing a direct payload within this file.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://francescocamuglia.com/uploads/1/3/0/6/130622029/130622029.html#calvary+temple+all+album+songs
    • http://freeedup.com/uploads/1/3/0/2/130270900/ae020d98b61d329.pdf
    • http://singaporedogcollars.com/uploads/1/3/0/4/130483710/mafuvidujiliger.pdf
    • http://cheshirecounsellingandpsychotherapy.com/uploads/1/3/0/4/130478470/2279827.pdf
    • http://kilarufoundation.com/uploads/1/3/0/2/130289460/bebekipuvig.pdf
    • http://clearcents.org/uploads/1/3/0/4/130435956/potajow.pdf
    • http://toknao.com/uploads/1/3/0/6/130639901/8652256.pdf
    • http://5thousandcleaningservices.ca/uploads/1/3/1/3/131380564/9469793.pdf
    • http://beautyforbrokebabes.com/uploads/1/3/1/0/131069935/91942cf9aa6ea5e.pdf
    • http://keeley-smith.com/uploads/1/3/0/3/130379843/vaxupaz.pdf
    • http://ntpsychologygroup.com/uploads/1/3/0/5/130588751/nedorexudasuronipa.pdf
    • http://fatimascrip.com/uploads/1/3/0/9/130969592/nejipatamiwu.pdf
    • http://christine-simmons.com/uploads/1/3/1/3/131379598/042a2.pdf
    • http://wwwjkinder.com/uploads/1/3/0/2/130272937/1088034.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051ac.bin
93509f796b2ad21bf87b6e80de3395df0f243eb0788eee6f159b8fdf9161f92b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51AC 7156 bytes
font_01_sfnt_off00006de6.bin
1b3f82cd74c5b6671cc0c0d4a6c7877b74bb57ca469b2a61ef541918e41af838		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE6 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.