Malicious PDF — malware analysis report

Static analysis result for SHA-256 eda8add792410505…

MALICIOUS

PDF

51.8 KB Created: 2020-04-10 23:18:31 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 1d952312b4b48fde5dd6704f83f7a230 SHA-1: 47889e6d36c1524e26bd4d2f1c842a32c48780fc SHA-256: eda8add7924105055db645e9057e9f0bca78268117ca40f444f0847d54565f78
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.001 PowerShell T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which point to similarly structured URLs on various domains, indicating a link farm designed to redirect users. The ML classifier strongly flagged this PDF as malicious. The primary attack pattern involves luring users through these links, likely to a site that hosts further malicious content or phishing pages. No scripts were extracted, but the PDF structure and numerous external links are strong indicators of malicious intent.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-72-13.mgwnet.com/uploads/1/3/0/3/130313188/130313188.html#tipo+ideal+max+weber
    • http://trainwithaheart.com/uploads/1/3/1/3/131379485/59db356.pdf
    • http://melaninmagic.org/uploads/1/3/0/5/130588716/e574359.pdf
    • http://ucdllp.com/uploads/1/3/1/4/131454172/ragarefafago.pdf
    • http://sparklesistersdesigns.com/uploads/1/3/1/0/131070702/nizepafevine.pdf
    • http://subnation.net/uploads/1/3/0/3/130323750/gogejetewujufa-tumiwuw.pdf
    • http://adriandevelops.com/uploads/1/3/1/3/131398333/8495131.pdf
    • http://baoandtea.com/uploads/1/3/0/7/130776182/9d6d5fe9e40e.pdf
    • http://rosegluckwriter.com/uploads/1/3/0/4/130490786/lalifuban.pdf
    • http://dp-constructions.com/uploads/1/3/0/6/130604191/1628557.pdf
    • http://worryknotevents.com/uploads/1/3/0/7/130740297/gomezidixeka-kivilulesatigod.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008b89.bin
df4ea3680524a5771cec77d882fcb30318e1a93905f136cdccc9c01f35df0320		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8B89 10588 bytes
font_01_sfnt_off0000ae6a.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0xAE6A 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.