PDF malware analysis — malicious · 25f499003851d2de

MALICIOUS

PDF

38.7 KB Created: 2020-03-15 02:12:04 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 35981a9963564f19f453c0f184f50ba0 SHA-1: 3d1173e16644e5b287ca4e68e139da0fae1c0849 SHA-256: 25f499003851d2dea85063b074bff2bea9ceaf282fa8e5ce7ae9d4693ea71c14

154 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a lure for 'Battlefield 1 free for android' and exhibits a large number of external links, characteristic of a link farm used for SEO poisoning or to distribute malware. The ClamAV detection 'Pdf.Dropper.Agent-9059348-0' and the ML classifier output strongly indicate malicious intent. The document likely serves as a dropper, directing users to download further malicious payloads from the numerous embedded URLs.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Dropper.Agent-9059348-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-9059348-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://webdisk.q-four.com/uploads/1/3/0/6/130605028/130605028.html#battlefield+1+free++for+android
- http://bubbaluna.co.uk/uploads/1/3/0/8/130874111/jazekakeb.pdf
- http://thelightrebel.com/uploads/1/3/0/5/130546717/futitasaliwewox-patoxamubi.pdf
- http://wwww.leapdevelopment.nl/uploads/1/3/0/5/130540033/mirupizazikomuzuku.pdf
- http://qmaricoaching.com/uploads/1/3/0/8/130874023/372983.pdf
- http://bailigongguojiyule.br3h.com/uploads/1/3/0/2/130289237/8173173.pdf
- http://heartinpaia.com/uploads/1/3/0/6/130621495/xetuwogil_lorofogorexo_nabep.pdf
- http://deceptivapparel.com/uploads/1/3/0/7/130738919/b8ebbb09c94e.pdf
- http://chrisbosgraaf.com/uploads/1/3/0/5/130538996/depusipuk.pdf
- http://almanaquecircular.com/uploads/1/3/0/6/130621744/zalaf.pdf
- http://gearheadzatx.com/uploads/1/3/0/2/130272474/gawujebawasimapi.pdf
- http://kartell.com.vn/uploads/1/3/0/8/130814169/b397e3.pdf
- http://asterstudios.com/uploads/1/3/0/6/130603803/8dd3789.pdf
- http://ratedtemps.com/uploads/1/3/0/8/130874395/vemujiwod_xasulagutem.pdf
- http://advancedbiocomputing.net/uploads/1/3/0/7/130776349/f2c640e99.pdf
- http://metrowalkatlanta.org/uploads/1/3/0/6/130621918/loguxu.pdf
- http://gaskinsgadgets.com/uploads/1/3/0/4/130483634/71130f.pdf
- http://autodiscover.fetefam.com/uploads/1/3/0/4/130491757/5231632.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006fd2.bin` `8efd73c8fb16b59e9de42405a2d0c06905f59fe4d7215ce750f9c457c57bacc8`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FD2	7688 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.