Malicious PDF — malware analysis report

Static analysis result for SHA-256 f05d1e99e00703b0…

MALICIOUS

PDF

37.3 KB Created: 2020-03-08 00:03:25 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: cbd7cf74626ae26acd5a07ca11d3d459 SHA-1: d8bdeb3b45da195fb763f8c6075601020e58812e SHA-256: f05d1e99e00703b09e6177a419bd440918d533acc1cedee7955594137a68af33
94 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document is identified as malicious by an ML classifier with high confidence. It contains a large number of external links, many pointing to PDF files hosted on various domains, suggesting a link farm or redirection mechanism. The document body text, though partially corrupted, indicates a lure related to 'Study skills handbook free pdf', and one of the embedded URLs directly reflects this. The primary attack pattern involves social engineering through a deceptive document title to encourage users to click on malicious links.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://survey.rodhillportraits.com/uploads/1/3/0/6/130620435/130620435.html#study+skills+handbook+free+pdf
    • http://derekhardman.com/uploads/1/3/0/2/130289482/velitizaj.pdf
    • http://goodbyesonline.com/uploads/1/3/0/2/130273803/a1dae7469ba4.pdf
    • http://membership.northgeorgiaboat.org/uploads/1/3/0/2/130272250/lozumomido.pdf
    • http://rosepalmerlaw.com/uploads/1/3/0/6/130639062/2264658.pdf
    • http://kristinefranklin.net/uploads/1/3/0/4/130490053/kenukunurizoniwu.pdf
    • http://mackprobuilding.com/uploads/1/3/0/6/130639085/rivufug-wonaxesab.pdf
    • http://rockymtnbernedoodle.com/uploads/1/3/0/4/130436213/4600849.pdf
    • http://bestgrownco.com/uploads/1/3/0/7/130775249/debalevirajidubufo.pdf
    • http://www.mitchtroop.com/uploads/1/3/0/7/130776096/jibuweped.pdf
    • http://www.pddonlinecars.com/uploads/1/3/0/8/130874055/9226839.pdf
    • http://fitnice.net/uploads/1/3/0/4/130483390/dovokowebiwufi-xugawekuzipilu-dodasetoko-xatidefal.pdf
    • http://www.kolenhandelpillen.be/uploads/1/3/0/5/130550974/vabozegut-fitebopu-xeseziligija.pdf
    • http://webmail.newburghmodelrrclub.org/uploads/1/3/0/8/130873994/pidixajufemumufo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006ab7.bin
a0cca0c5d5be4f16a881285c65c5c641a2f8173e3b588a60655f98099b95db6c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6AB7 7556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.