Malicious PDF — malware analysis report

Static analysis result for SHA-256 eb3275f7b7c57c9d…

MALICIOUS

PDF

55.2 KB Created: 2020-03-25 00:55:01 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: e2a195b8023f4f281b9c65889bb09b52 SHA-1: 1ae8f56fce55901cabc1d17de7b3ef6005a57802 SHA-256: eb3275f7b7c57c9d545e42d2ebf3d9bdd82744ae3880bc208a95c082518c7c06
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links pointing to various domains, many of which appear to be part of a link farm. The primary URL extracted, 'http://adogslifeoxon.com/uploads/1/3/0/3/130379110/130379110.html#cuales+son+las+etapas+del+proceso+productivo+y+en+que+consisten', suggests a lure related to 'stages of the production process'. The heuristic 'PDF_SEO_LINK_FARM' strongly indicates this is a tactic to generate traffic or distribute content across many domains. No scripts were extracted, and the document body is heavily obfuscated, but the presence of numerous SEO-linked PDFs points to a content-distribution or traffic-generation scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://adogslifeoxon.com/uploads/1/3/0/3/130379110/130379110.html#cuales+son+las+etapas+del+proceso+productivo+y+en+que+consisten
    • http://privateinvestigatorsthailand.com/uploads/1/3/0/7/130775078/8508285.pdf
    • http://hopeinthearts.com/uploads/1/3/0/2/130270740/ledisaw.pdf
    • http://www.everyday-tennis.com/uploads/1/3/0/2/130271004/kajab-kusigos-taxoxebeka.pdf
    • http://www.electericcummings.com/uploads/1/3/0/8/130874108/8fc65f6f3bf7ac.pdf
    • http://soultivity.net/uploads/1/3/0/5/130588484/xazaperotowovuxe.pdf
    • http://renengkh.com/uploads/1/3/0/4/130483617/5646159.pdf
    • http://www.torihall.com/uploads/1/3/0/6/130620669/lufuv.pdf
    • http://www.zohrabeauty.com/uploads/1/3/0/4/130483266/bilenu_nimulijemelexi_takuxilomagu_kimoden.pdf
    • http://imagecenterspa.com/uploads/1/3/0/4/130478609/revegetawap-misuxi-marim-takulukeriza.pdf
    • http://bostonglobellc.com/uploads/1/3/0/6/130621233/gakologugivi_xutewubiritopun_gurovavawefiti.pdf
    • http://larynmyles.com/uploads/1/3/0/8/130874380/jurobovarupopazugo.pdf
    • http://smallbusinesswebdesign.company/uploads/1/3/0/4/130483394/wakekovixul-kovaw-zimap.pdf
    • http://gwensnyderphotography.com/uploads/1/3/0/7/130739492/boxikije-sagapu-dafuzogazeja.pdf
    • http://sacredfeminineuprising.com/uploads/1/3/0/6/130621334/9908633.pdf
    • http://www.creativeget.com/uploads/1/3/1/0/131070306/tijul-tijovodusaxu.pdf
    • http://www.hollistertigergear.com/uploads/1/3/0/4/130435650/vakeze.pdf
    • http://alalson.info/uploads/1/3/0/7/130738887/9667139.pdf
    • http://sustainabilitygodsway.com/uploads/1/3/0/4/130488483/650f89d.pdf
    • http://soblowedapparel.com/uploads/1/3/0/2/130271150/3748167.pdf
    • http://rossbrownscience.com/uploads/1/3/0/4/130476687/9591500.pdf
    • http://misssantaclara.com/uploads/1/3/0/2/130289213/6052761.pdf
    • http://webmail.thetradewater.com/uploads/1/3/0/6/130604294/kotolesuduxepik.pdf
    • http://belikebrian.org/uploads/1/3/0/6/130639471/3413415.pdf
    • http://austbrokerscentralcoast.com/uploads/1/3/0/4/130488228/lepulawas.pdf
    • http://nakedbuck.com/uploads/1/3/0/8/130813975/gitita.pdf
    • http://webmail.thetradewater.com/uploads/1/3/0/6/130604294/k
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008852.bin
40307b1e96d9b328cf21e4000eee561b0b8bd73e27a732e9cf22ba3c4b7e4b25		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8852 8964 bytes
font_01_sfnt_off0000a89e.bin
885781ec91db75dc8c4a6a3d3dac0324bdfdb8f2239dab70466c62035ae072da		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA89E 4144 bytes
font_02_sfnt_off0000b594.bin
1d1fa5121415f8f5353993473374918b9d2a38f433752094af4cce5d3be72c8c		 pdf-font-stream PDF embedded font (sfnt) at offset 0xB594 16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.