PDF malware analysis — malicious · 336744cb57e760aa

MALICIOUS

PDF

41.9 KB Created: 2020-03-22 07:54:42 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: bff840f30d93ecc642ba311371901f17 SHA-1: b23208e21f11dc375a8ca25be40e4d1b4434250f SHA-256: 336744cb57e760aaeac9da7d47f86f408798363217d3ae92fb94c8fada516013

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many of which point to other PDF files hosted on various domains. This behavior is indicative of a link farm designed to manipulate search engine rankings or distribute malicious content. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted, and the document body is heavily obfuscated.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://house-2homeinspections.com/uploads/1/3/0/8/130814226/130814226.html#buffalo+restore+amherst+st
- http://www.uceplus.com/uploads/1/3/0/2/130274343/likodedujoforebaxeze.pdf
- http://ohiocomfortandcraft.com/uploads/1/3/0/7/130739763/6212838.pdf
- http://www.banjarkids.com/uploads/1/3/0/8/130814341/4b9585ceb.pdf
- http://juridicorapido.com/uploads/1/3/0/7/130740438/f7f44fa845.pdf
- http://nicollaslittleshop.com/uploads/1/3/0/4/130483491/kemezeralevamer-nekosote.pdf
- http://calkni.com/uploads/1/3/0/6/130621132/zopozorevavu.pdf
- http://blankamelbostad.com/uploads/1/3/0/5/130541661/8b56967c0.pdf
- http://garyroybird.com/uploads/1/3/0/5/130551654/woniledudisor.pdf
- http://theandrewfamilytree.com/uploads/1/3/0/6/130604269/c4cd058296a0b8.pdf
- http://judaicabyjimcohen.com/uploads/1/3/0/6/130621575/vilunidizekuzi_semijoruwedos_xuzazuwib.pdf
- http://babiesinbrooklyn.com/uploads/1/3/0/6/130639590/a3f3bff.pdf
- http://ctsolitfoundation.com/uploads/1/3/0/2/130272470/mopelagow.pdf
- http://hostmaster.va-instrument.se/uploads/1/3/0/5/130589103/maxunub.pdf
- http://dontforgetyourluggage.com/uploads/1/3/0/7/130775583/9359430.pdf
- http://michianawomeninconstruction.com/uploads/1/3/0/5/130542875/werola.pdf
- http://latviancontent.com/uploads/1/3/0/6/130605347/tibelaledotelolugij.pdf
- http://curatecolor.com/uploads/1/3/0/6/130639982/6873333.pdf
- http://www.ekogren.nl/uploads/1/3/0/6/130620607/0b3ea1d0.pdf
- http://twoharborslakesidemarket.com/uploads/1/3/0/5/130539130/9680de.pdf
- http://tradingblockpro.net/uploads/1/3/0/5/130590273/8063555.pdf
- http://buysomethingscary.com/uploads/1/3/0/9/130969249/veneruxiwu-kunaxiluxa-vakewozisowino-dutelinikuva.pdf
- http://www.jasonsalmons.com/uploads/1/3/0/5/130551697/0e5199b.pdf
- http://599-bonus.site/uploads/1/3/0/4/130435702/9984685.pdf
- http://minatangoboutique.com/uploads/1/3/0/2/130273738/7569abaade1.pdf
- http://minatangoboutique.com/uploads/1/3/0/2/13027373
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000079d1.bin` `b29c72e6c4cb93d2a24da04925fafb02543d9697ac9aa94fa309a710ac2bf942`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x79D1	8284 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.