PDF malware analysis — malicious · 0b607fc74078727f

MALICIOUS

PDF

47.8 KB Created: 2020-03-21 15:16:46 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 93327f3d751d168ef06a3edbfe3e7ce6 SHA-1: a989336981e8e3ae44d32b3583ada9ea2684b27b SHA-256: 0b607fc74078727f010123db8b2753eb2171d85f1d96f3049bcebf40cae5ca7e

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, identified as a PDF link farm. The primary URL points to a page discussing Java programming, but the majority of the links are to other PDFs hosted on various domains. This suggests the document is likely used for SEO manipulation or to distribute further malicious content, rather than for its apparent content. No scripts were extracted, but the presence of numerous external links indicates a malicious intent to redirect users.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://iglesiacentralfiladelphia.com/uploads/1/3/0/2/130289625/130289625.html#como+imprimir+un+arreglo+en+java+con+joptionpane
- http://www.blackbushfarms.com/uploads/1/3/0/6/130603878/5059686.pdf
- http://1800laserhair.com/uploads/1/3/0/6/130639061/bd0c794890e599f.pdf
- http://gadaisa.net/uploads/1/3/0/2/130272442/2c3f6d8dbb.pdf
- http://www.jsdrivein.com/uploads/1/3/0/9/130969373/nobatobatogeseg-jifukadazomulep-pamexi-sojexamigun.pdf
- http://elizabethwinternd.com/uploads/1/3/0/6/130605048/6019818.pdf
- http://tr.ncrage.com/uploads/1/3/0/5/130588222/vibukasebu.pdf
- http://staringocd.org/uploads/1/3/0/4/130479123/nonudov.pdf
- http://ftp.scheuring.ch/uploads/1/3/0/6/130639259/1255138.pdf
- http://logisticsunitedinc.com/uploads/1/3/0/4/130435596/lefebedener-wezumasenita-kojupimo-jugilugokazu.pdf
- http://www.visionpipetting.com/uploads/1/3/0/3/130323957/gexuxetukerokomedum.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006e87.bin` `e009f40f224f0cc6d326662b41faff2cae5180d1dd91dae346be23002115ba37`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6E87	9604 bytes
`font_01_sfnt_off00009154.bin` `83459e82cebe561b9e65dda6a09953c9e35f75e5df0fa62a624e1833cc5b8086`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9154	1708 bytes
`font_02_sfnt_off000099bb.bin` `1d1fa5121415f8f5353993473374918b9d2a38f433752094af4cce5d3be72c8c`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x99BB	16312 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.