PDF malware analysis — malicious · 3050e3f857b18f60

MALICIOUS

PDF

41.2 KB Created: 2020-03-16 16:13:38 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 30bef1a24e2467f9e4a9d0fbaa0af9b6 SHA-1: a08624ada7e913a40ae18a6f25fce0c9b6cc2533 SHA-256: 3050e3f857b18f6094fa352942fd97b3cbbe278ccd12180feace535d19ef2e63

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF document was flagged as malicious by an ML classifier and contains a large number of external links, many of which point to PDF files hosted on various domains. The primary URL found in the document body is http://4pxt5.bpmtc.com/uploads/1/3/0/7/130775724/130775724.html#rcp+basica+2017. This suggests a link farm or a distribution point for further malicious content, likely aimed at SEO manipulation or hosting malware.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://4pxt5.bpmtc.com/uploads/1/3/0/7/130775724/130775724.html#rcp+basica+2017
- http://www.lanceediger.com/uploads/1/3/0/7/130776630/wukuvonode.pdf
- http://havenpsychologycentre.com.au/uploads/1/3/0/6/130603956/ketuzavike.pdf
- http://pwrbit.net/uploads/1/3/0/8/130873784/buropuvovenol.pdf
- http://spotart.co.uk/uploads/1/3/0/2/130289332/c0b4aa33a.pdf
- http://boomantifc.org/uploads/1/3/0/3/130323491/b5cdf6.pdf
- http://www.blindforce.com.au/uploads/1/3/0/5/130542983/1841312.pdf
- http://serpentinefyreglass.com/uploads/1/3/0/4/130483667/2773897.pdf
- http://admgems.com/uploads/1/3/0/5/130590666/5698583.pdf
- http://www.lodgeapps.com/uploads/1/3/0/5/130588861/81b27729.pdf
- http://daisydcow.com/uploads/1/3/0/5/130543279/kigesapakeb.pdf
- http://yourrentalexpert.com/uploads/1/3/0/6/130621432/juvazuwivis.pdf
- http://mail.simplyburtons.com/uploads/1/3/0/4/130483918/bizejuzuzor.pdf
- http://everest2ocean.com/uploads/1/3/0/7/130775200/pobilavarujufa.pdf
- http://amitaysadovsky.org/uploads/1/3/0/5/130538950/fateto.pdf
- http://sbjoinery.net/uploads/1/3/0/2/130272428/b2d721.pdf
- http://mycorporateteambuilding.com/uploads/1/3/0/2/130287295/1029554.pdf
- http://nmwordprocessing.com/uploads/1/3/0/2/130289353/4b5fe79.pdf
- http://charliesopentalk.com/uploads/1/3/0/5/130548192/nazuko-gaxuditazo.pdf
- http://cinderellas-secretllc.us/uploads/1/3/0/7/130740375/d072502020d9.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000078c1.bin` `3fece02668da233a32ecc9656292b91dacbf794e58dd168854ae6b19483a05af`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x78C1	8556 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.