PDF malware analysis — malicious · 15ed7fcb3baf56cf

MALICIOUS

PDF

42.8 KB Created: 2020-04-02 07:10:00 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 957553edbbe49968daaddac155f5070d SHA-1: e3eb8b6044dd934ac0e7d0d84f4bc02b6c78b395 SHA-256: 15ed7fcb3baf56cfd1313e5b76d936dd35a03dc20a3fe789dfed26bd7fa9bef4

136 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, a common tactic for link farms and phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' and the presence of many similar URLs strongly suggest this is part of a malicious campaign. The document body, though partially corrupted, contains text related to online courses and evaluation, likely a lure to encourage clicks on the embedded malicious links.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://partinthecarbs.com/uploads/1/3/0/8/130813557/130813557.html#ingresar+al+curso+en+linea+como+mejorar+la+evaluacion+en+el+aula
- http://drewerydyke.org/uploads/1/3/0/6/130639805/lidomidiji_xaxuzofagolev_jametoxogipe.pdf
- http://learn-ahead.com/uploads/1/3/1/1/131163723/ec89ab8c8e03189.pdf
- http://brasiltv.org/uploads/1/3/1/1/131163640/xizowavedumibadujefi.pdf
- http://monsterhoops.com/uploads/1/3/0/7/130775843/6908760.pdf
- http://integumentaryinfo.net/uploads/1/3/0/2/130287445/gabuvumabijatu.pdf
- http://landscaperscolumbiasc.com/uploads/1/3/0/6/130622111/lugagumo-guwup.pdf
- http://savelivesusa.org/uploads/1/3/1/0/131070799/xexapifedinuz-digubis-xatosazakef-tazomep.pdf
- http://playingsuperhereos.com/uploads/1/3/0/6/130605135/xafajabadog.pdf
- http://glacierdrs.com/uploads/1/3/0/2/130292014/724220.pdf
- http://kinder-farm.com/uploads/1/3/0/2/130288545/900207.pdf
- http://mettcom.net/uploads/1/3/0/3/130379409/2174abf.pdf
- http://tlcfaithfoundation.net/uploads/1/3/0/9/130969684/saxepomaz.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000067cf.bin` `074c4c35c6d7dd419465b685a225dfab71a836d5620ccebd718785847fdf6400`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x67CF	8776 bytes
`font_01_sfnt_off000087dc.bin` `f31c439e28d0137206b91a151f21343900f846ed9ff070250fbe82eb1cc7da1d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x87DC	16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.