Malicious PDF — malware analysis report

Static analysis result for SHA-256 f04fc452e355cd35…

MALICIOUS

PDF

41.7 KB Created: 2020-04-03 14:11:48 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: da326c3ddda186f089ef028abe4b6aca SHA-1: bcb83b22606ea85cdb3f4b5e16b5901eba541f32 SHA-256: f04fc452e355cd35f88374705938301722deb43e61ca863359dfea3513310b06
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure related to Pokemon game cheats, but its primary function appears to be a link farm. It embeds numerous external URLs, many pointing to other PDF files, suggesting a tactic to manipulate search engine results or distribute further malicious content. The ML classifier strongly indicated maliciousness, supporting the interpretation of this as a malicious SEO or content distribution scheme.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://brightandbeautifulcleaning.net/uploads/1/3/1/3/131383607/131383607.html#pokemon+fire+red+5000+exp+cheat+codes+walk+through+walls
    • http://evarealty.net/uploads/1/3/0/7/130739500/1222134.pdf
    • http://tdsalud.com/uploads/1/3/0/9/130969356/kogitezifasoririsofu.pdf
    • http://mvgaming.org/uploads/1/3/0/6/130639259/seridovasivoke.pdf
    • http://rickyjab.com/uploads/1/3/0/8/130874110/9a9d30d227ceafe.pdf
    • http://runwayofficecenter.com/uploads/1/3/0/5/130545753/1602662.pdf
    • http://simana.org/uploads/1/3/0/8/130873829/2246626.pdf
    • http://aayogaandfitness.com/uploads/1/3/0/6/130605346/vanolasilukupuju.pdf
    • http://house-of-reiki.com/uploads/1/3/0/7/130739046/7460147.pdf
    • http://pabloabreu.com/uploads/1/3/0/6/130604524/1588658.pdf
    • http://katefalor.com/uploads/1/3/0/6/130639098/fuzuregemifev.pdf
    • http://aeautomotive.org/uploads/1/3/0/6/130620657/4336123.pdf
    • http://mal-test.com/uploads/1/3/0/9/130969175/fomitanaseliwabalosa.pdf
    • http://blkzen.net/uploads/1/3/0/7/130739500/5624606.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007c7c.bin
646c404a102e82c7beea36d714a63fd17883a20e9f6f8e24799827ca70d8e61b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7C7C 7484 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.