Malicious PDF — malware analysis report

Static analysis result for SHA-256 e9b9456b98d0270c…

MALICIOUS

PDF

30.2 KB Created: 2020-06-01 12:23:45 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 30ee902e434b876c37e0d3ab93c66d05 SHA-1: 5e2e65878db21bb361eca6beca107f48e284b036 SHA-256: e9b9456b98d0270c8d8e0f2cb2a4ac72f65266e67bdc9f524759c2211ac8bba0
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link T1059.001 PowerShell

The PDF file contains numerous external links, many of which point to domains designed for SEO poisoning or link farming, such as carlospark-playablanca.com. The document body, though heavily obfuscated, contains text related to 'Modern elementary statistics 11th edition' and the wkhtmltopdf application, suggesting a lure to disguise malicious links. The ML classifier strongly indicated maliciousness, and the presence of multiple unknown URLs supports a phishing or redirection attack.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9961

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-73-214.mgwnet.com/uploads/1/3/0/9/130969034/130969034.html#modern+elementary+statistics+11th+edition
    • http://carlospark-playablanca.com/uploads/1/3/0/6/130621657/jevojixow-pejinobisaro.pdf
    • http://fleurmenotaire-mtl.com/uploads/1/3/0/7/130775050/7838768.pdf
    • http://apismellifera2.com/uploads/1/3/1/6/131606118/913321.pdf
    • https://digogaba.files.wordpress.com/2020/06/43822526868.pdf
    • https://masobovixapa.files.wordpress.com/2020/05/remekowa.pdf
    • https://samudazekami.files.wordpress.com/2020/05/jatixe.pdf
    • https://vurizuzuni.files.wordpress.com/2020/05/dovafovawilowuloxuluvok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004d82.bin
da095cfd717fd3daa3b1437aa4dc2054cf104e43ee80f66e72c4e65a563cc4fb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4D82 9484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.