Malicious PDF — malware analysis report

Static analysis result for SHA-256 f48f25014cb9c211…

MALICIOUS

PDF

35.5 KB Created: 2020-05-14 05:01:41 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 279bec1684426d90e19d0d9a15389448 SHA-1: c6d145f20678a7fb0e9415623562139c078059b3 SHA-256: f48f25014cb9c21157a0db786ee6bc044307330eb7b139c9b66575a645bf3470
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, characteristic of a link farm designed to manipulate search engine rankings or redirect users to malicious content. The ML classifier strongly indicated maliciousness, and the presence of numerous unknown-reputation URLs supports this assessment. The document body contains a nonsensical phrase and application metadata, suggesting it was programmatically generated to host these links.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://estrellaladywolvesvolleyball.org/uploads/1/3/0/8/130873790/130873790.html#boom+chicka+boom+new+song
    • http://justforyouspa.com/uploads/1/3/0/2/130274088/9edae4c6.pdf
    • http://caravations.com/uploads/1/3/0/3/130323341/makudosu.pdf
    • http://literacyatths.com/uploads/1/3/1/4/131405976/zikiburobad.pdf
    • http://patcostello.net/uploads/1/3/0/8/130874519/8751114.pdf
    • http://ceecentre.org/uploads/1/3/1/4/131406437/967db6743aa5e.pdf
    • http://thehammersolutions.net/uploads/1/3/0/5/130543468/8385802.pdf
    • http://benjaminhenke.com/uploads/1/3/1/3/131383717/1612106.pdf
    • http://freegarageconversions.com/uploads/1/3/0/6/130603956/3b5f46c2e904cda.pdf
    • http://ugandaproject.com/uploads/1/3/1/6/131606523/e921299ad1ae4f.pdf
    • http://yourlistingwebsite.com/uploads/1/3/0/5/130588685/novukakupomeza.pdf
    • http://azttech.com/uploads/1/3/1/4/131437623/2114582.pdf
    • http://ruralhealthnetworkresources.com/uploads/1/3/0/8/130874317/1118609.pdf
    • http://corazondemujer.net/uploads/1/3/0/8/130874076/tiribo.pdf
    • http://womenofmore.org/uploads/1/3/0/9/130969475/rakujaw.pdf
    • http://dollup.store/uploads/1/3/0/2/130274146/0810f.pdf
    • http://thepropertyamazon.com/uploads/1/3/1/3/131380729/lafabeliw.pdf
    • http://kdmorano.com/uploads/1/3/1/1/131163898/ziwaliminivifevazov.pdf
    • http://casadeamorelsalvador.org/uploads/1/3/1/3/131378776/04741f16c4.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005f9c.bin
768d7f00104fca6922475ff214922a47605de0ade3a60574d64925a1333d2ac7		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5F9C 10172 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.