Malicious PDF — malware analysis report

Static analysis result for SHA-256 ed2ec3ee625239dc…

MALICIOUS

PDF

37.2 KB Created: 2020-03-26 03:09:32 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 0eee23b2df8d3efe64757d42555411d3 SHA-1: 27079225c1c469a200a4c083974a501be66257c9 SHA-256: ed2ec3ee625239dc2e08f0ef5f7583a69499ccb60c6edcbcdea8a29218015a02
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are numerically or generically named PDFs, indicative of a link farm or SEO spam tactic. The primary embedded URL, 'http://bsa-sccc-pack301.com/uploads/1/3/0/6/130604110/130604110.html#como+convertir+metros+a+centimetros+cuadrados', suggests a lure related to unit conversion, potentially to disguise malicious intent. The ML classifier strongly flagged this PDF as malicious, supporting the assessment that it is used for malicious redirection.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://bsa-sccc-pack301.com/uploads/1/3/0/6/130604110/130604110.html#como+convertir+metros+a+centimetros+cuadrados
    • http://terrellconsultinggroup.com/uploads/1/3/0/9/130969791/wemofaturo.pdf
    • http://jgart.lt/uploads/1/3/0/7/130775052/10226.pdf
    • http://premierrideservice.com/uploads/1/3/0/3/130323159/nukolemajijewe.pdf
    • http://provincialgrandlodge.co.za/uploads/1/3/0/5/130538836/todazuzubero.pdf
    • http://sweetnightmaresfilms.com/uploads/1/3/0/7/130739101/0b072.pdf
    • http://michellestevenson.net/uploads/1/3/0/5/130540146/5343258.pdf
    • http://antsearthmoving.designpreviewer.com/uploads/1/3/0/5/130590059/lekazozogedonux-bepasedezikejid-dopefagekuze.pdf
    • http://millerassociateslawoffices.com/uploads/1/3/0/5/130588377/begofezurawibod.pdf
    • http://akiysvignettes.com/uploads/1/3/0/7/130775197/3ee2cffbb4f.pdf
    • http://onlychoiceconsult.com/uploads/1/3/0/7/130738918/todimetokufaj_xinumi.pdf
    • http://www.masonjoe.nl/uploads/1/3/0/6/130639535/pudedajajoboguluxu.pdf
    • http://breckmountainhome.com/uploads/1/3/0/9/130969419/3a4ef.pdf
    • http://davidfriske.com/uploads/1/3/0/2/130288465/35db537192994.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000069c7.bin
dd66341d68b9018b67c8a1e4112c1d3e7cecb14be5d705ad749016a0f8c53d5d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x69C7 8108 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.