PDF malware analysis — malicious · 116405b762a1758a

MALICIOUS

PDF

45.7 KB Created: 2020-04-11 04:20:44 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 330627885168e7a0f2bbcb1f18b5c74e SHA-1: c30531cf0ab03a9c4a1af9654bc3ce69e547e2d1 SHA-256: 116405b762a1758a7c5ebc84e0cba570620ee9d37079be2378930c547919918c

104 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of external links, many of which point to other PDF files. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious content. While no scripts were explicitly extracted, the PDF structure and the sheer volume of outbound links suggest a malicious intent to redirect users to potentially harmful sites. The ML classifier also strongly flagged this PDF as malicious.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON

Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://afaparents.org/uploads/1/3/0/5/130590374/130590374.html#the+power+of+neuroplasticity
- http://mapamunditravels.com/uploads/1/3/0/6/130621516/8d5cbeb.pdf
- http://kristenheiser.com/uploads/1/3/1/4/131453620/sajoxekufebosimu.pdf
- http://elysajones.com/uploads/1/3/0/8/130874645/7844388.pdf
- http://lovemyshoesco.com/uploads/1/3/0/5/130543855/4511879.pdf
- http://bgcsjc.com/uploads/1/3/0/9/130969559/pifazugotegab_pevodajitasulem_wipafole_tagipanil.pdf
- http://theasvabtutor.co/uploads/1/3/0/6/130603810/87b4b7802.pdf
- http://capital1financeconsultants.com/uploads/1/3/0/6/130620449/najigevivoginit_dufulax.pdf
- http://gentegrande.org/uploads/1/3/1/0/131070695/5628537.pdf
- http://risefitness.net/uploads/1/3/0/2/130271205/vumavedafemilumipe.pdf
- http://demetrab.com/uploads/1/3/0/6/130639124/joxujisawutinurokeg.pdf
- http://occstudios.com/uploads/1/3/1/4/131407855/jebot_sazugumu.pdf
- http://buswell.ca/uploads/1/3/0/5/130543537/6234045.pdf
- http://trentsandifur.com/uploads/1/3/0/7/130775251/wegimidi-bumopog-vixifikiwupun-vikekomonap.pdf
- http://theirwinfirm.com/uploads/1/3/1/1/131164558/novadatiloke.pdf
- http://3253gilpin.com/uploads/1/3/0/9/130970014/zofexapasowimog-sedigosevujo.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008af1.bin` `b3b14ce8a3f992c8674693e5c3df0046df13d911d6f324e2205d53b95ba0cc62`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8AF1	8212 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.