Malicious PDF — malware analysis report

Static analysis result for SHA-256 0d45240868a78a1c…

MALICIOUS

PDF

32.0 KB Created: 2019-05-24 00:42:43 +03:00 Authoring application: Adobe InDesign CS5_J (7.0.4) (via Acrobat Distiller 9.5.0 (Windows))
MD5: b07979d5cf0ca54567b5426ce8625842 SHA-1: c7e5051a46e078a5d6f12374fb45aa5f52dd716f SHA-256: 0d45240868a78a1cf65c8312f9202f69ac9142a68c544cd282b30e897f5639ab
132 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment

The PDF contains a large number of embedded URLs pointing to external PDF files, identified by the PDF_SEO_LINK_FARM heuristic. The SE_LOLBIN_RUN_COMMAND heuristic suggests that the document text may contain commands or sequences that could be interpreted by a LOLBin. While no scripts were explicitly extracted, the ML_NYX_PDF_MALICIOUS classifier indicates a high probability of malicious intent, likely related to SEO manipulation or distributing further content.

Machine Learning

  • Nyx PDF Classifier malicious score 0.8447

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.gorillawalker.com/lupus-the-facts.pdf
    • http://www.gorillawalker.com/lighting-for-parking-facilities.pdf
    • http://www.gorillawalker.com/mysearchlab-with-pearson-etext-standalone-access-code-for-public-relations.pdf
    • http://www.gorillawalker.com/benetton-una-storia-a-colori-monogrammi-italian-edition-kindle-edition.pdf
    • http://www.gorillawalker.com/my-first-journal-of-prayer.pdf
    • http://www.gorillawalker.com/black-widow-a-novel-nikki-turner-original.pdf
    • http://www.gorillawalker.com/appearance-and-reality-a-metaphysical-essay.pdf
    • http://www.gorillawalker.com/ketogenic-diet-cookbook-the-ultimate-ketogenic-cookbook-and-ketogenic-recipes.pdf
    • http://www.gorillawalker.com/notes-on-the-nicaragua-canal.pdf
    • http://www.gorillawalker.com/introduction-to-game-theory-universitext.pdf
    • http://www.gorillawalker.com/the-big-show-high-times-and-dirty-dealings-backstage-at.pdf
    • http://www.gorillawalker.com/sharon-of-two-salems-vol-1-trains-witches-and-ufos.pdf
    • http://www.gorillawalker.com/teleny-or-the-reverse-of-the-medal-valancourt-classics.pdf
    • http://www.gorillawalker.com/schaum-s-outline-series-theory-and-problems-of-complex-variables.pdf
    • http://www.gorillawalker.com/how-to-help-handicapped-children-get-an-education-a-success.pdf
    • http://www.gorillawalker.com/le-football-collection-sport-french-edition.pdf
    • http://www.gorillawalker.com/the-rime-of-the-ancient-mariner.pdf
    • http://www.gorillawalker.com/the-voice-of-the-customer-in-product-development-4th-edition.pdf
    • http://www.gorillawalker.com/curating-havana-city-notebook-for-havana-cuba-a-d-i.pdf
    • http://www.gorillawalker.com/life-among-the-qallunaat-first-voices-first-texts.pdf
    • http://www.gorillawalker.com/primal-prescription-surviving-the-sick-care-sinkhole.pdf
    • http://www.gorillawalker.com/50-walks-in-devon-50-walks-of-3-to-8.pdf
    • http://www.gorillawalker.com/in-memory-of-the-fast-break.pdf
    • http://www.gorillawalker.com/fresh-whole-foods-from-a-to-z.pdf
    • http://www.gorillawalker.com/too-many-curls.pdf
    • http://www.gorillawalker.com/here-comes-the-sun-2-part.pdf
    • http://www.gorillawalker.com/life-and-practice-in-the-early-church-a-documentary-reader.pdf
    • http://www.gorillawalker.com/1949-1951-ford-car-repair-shop-manual-original.pdf
    • http://www.gorillawalker.com/western-water-made-simple.pdf
    • http://www.gorillawalker.com/native-american-tools-and-weapons-native-american-life-mason-crest.pdf
    • http://www.gorillawalker.com/tails-of-the-tawse.pdf
    • http://www.gorillawalker.com/starting-school-with-an-enemy.pdf
    • http://www.gorillawalker.com/supplementary-studies-flute-rubank-educational-library.pdf
    • http://www.gorillawalker.com/brain-training-limitless-brain-training-strategies-for-concentration-mental-clarity.pdf
    • http://www.gorillawalker.com/skills-for-scholars-english-grammar-grade-6.pdf
    • http://www.gorillawalker.com/valuation-of-unquoted-companies.pdf
    • http://www.gorillawalker.com/my-friends-mis-amigos.pdf
    • http://www.gorillawalker.com/mordillo-best-of-love-wandkalender-2015.pdf
    • http://www.gorillawalker.com/ma-hezhi-and-the-illustration-of-the-book-of-odes.pdf
    • http://www.gorillawalker.com/blue-lily-lily-blue-the-raven-cycle-book-3.pdf
    • http://www.goril
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://www.aiim.org/pdfa/ns/extension/
    • http://www.aiim.org/pdfa/ns/schema#
    • http://www.aiim.org/pdfa/ns/property#
    • http://www.aiim.org/pdfa/ns/id/

Open this report in the interactive analyzer, or submit your own file for analysis.