Malicious PDF — malware analysis report

Static analysis result for SHA-256 ff890af2d02c814f…

MALICIOUS

PDF

44.0 KB Created: 2020-03-31 06:21:19 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 24d052946771b6c98d1f9c02b158ae01 SHA-1: d4011e8a7aedbefc3a822dcdb00700dc2ef1f83e SHA-256: ff890af2d02c814fd1fef940b38f71461db73124f2b4fb1ad82e93eecb9cacbf
96 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which are numerically or generically named PDFs hosted on various domains. This pattern is indicative of a link farm designed to distribute malicious content or conduct phishing. The ML classifier strongly supports the malicious nature of this PDF. The document body, though partially corrupted, contains a title related to job valuation methods, suggesting a lure to attract victims.

Machine Learning

  • Nyx PDF Classifier malicious score 1.0000

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://urbanvertical.ca/uploads/1/3/1/0/131070598/131070598.html#cuadro+comparativo+de+los+metodos+de+valuacion+de+puestos
    • http://platinumeducationandtraining.com/uploads/1/3/0/7/130740443/9367005.pdf
    • http://nctfconcealment.com/uploads/1/3/1/4/131452935/pivano.pdf
    • http://nuernbergergrund.de/uploads/1/3/0/4/130489055/e0a927a6.pdf
    • http://theles-bijoux-de-chris-de-paris.com/uploads/1/3/0/6/130605125/poraduxosakuku_vikagaz.pdf
    • http://nosisdata.com/uploads/1/3/0/6/130604856/tunesatavubakef_mesufanofi_gufobajako.pdf
    • http://motonhomeinspection.com/uploads/1/3/0/7/130739502/zepimef.pdf
    • http://abacobahamashurricanerelief.org/uploads/1/3/0/5/130544385/sabajuti-rusededu-xitibebemikinam.pdf
    • http://waynekingphoto.com/uploads/1/3/0/4/130436250/3332643.pdf
    • http://bangsarproperties.com/uploads/1/3/0/6/130604940/rudidivok.pdf
    • http://tinytentsau.com/uploads/1/3/0/7/130740149/tevajovopulu.pdf
    • http://riskandcontrolconfidence.com/uploads/1/3/0/8/130873738/7295919.pdf
    • http://oakcliffmediaco.com/uploads/1/3/0/2/130289375/futojikedo.pdf
    • http://monasflowercafe.com/uploads/1/3/0/6/130604858/5725843.pdf
    • http://secondtimeroundautoparts.com/uploads/1/3/0/2/130289466/462391.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007728.bin
b095009e1aa7b679086a2dd093949a1e2bfdfa179c83d9e64a20210f199a406d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7728 1544 bytes
font_01_sfnt_off00007e98.bin
71f1c37ccdb377923d89f3a011d0e49ae5f88405c5ba4325bfb6e76c581fdb96		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E98 9300 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.