PDF malware analysis — malicious · 365d325054415c6b

MALICIOUS

PDF

47.6 KB Created: 2020-03-29 22:39:56 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 1911cdae1ff4b3a061dfac9dda4cf7cc SHA-1: 5dc4af3508d5b79ce94409c050b77bde474019f8 SHA-256: 365d325054415c6bf3ab752724b00751e67a8213422a3c529da50ce8c03414f0

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.001 PowerShell

This PDF file exhibits characteristics of a link farm, containing a large number of external URLs. The PDF_SEO_LINK_FARM heuristic firing indicates a mass of external links, suggesting a potential SEO spam campaign or a distribution point for further malicious content. The ML classifier strongly supports the malicious nature of this PDF. No scripts were extracted from this sample, limiting the analysis of direct payload execution.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://myentouragemusic.com/uploads/1/3/0/4/130476112/130476112.html#20+ft+into+meters
- http://my123456.xyz/uploads/1/3/0/8/130874283/681733.pdf
- http://hindsqr.com/uploads/1/3/0/7/130738578/9a55a9c984.pdf
- http://www.treehuggerhotsauce.com/uploads/1/3/1/1/131163793/811a1cb7.pdf
- http://raaseypi.com/uploads/1/3/0/2/130270982/peraduzo.pdf
- http://havensaloncotati.com/uploads/1/3/0/7/130775129/kimigas.pdf
- http://leafmeupteaco.com/uploads/1/3/0/6/130604081/fowefivirupis.pdf
- http://gadget-catcher.com/uploads/1/3/0/5/130539019/446316e7e58f3.pdf
- http://sallycasey.com/uploads/1/3/0/7/130738565/kotodemubukinemumusu.pdf
- http://liceotomasmorales.com/uploads/1/3/0/7/130739891/b6d1c0c60.pdf
- http://northforkdoor.com/uploads/1/3/0/6/130621021/zijokutudadiwu.pdf
- http://rachelroccophotography.com/uploads/1/3/0/6/130640142/3e11131c34.pdf
- http://theghosttours.com/uploads/1/3/0/7/130738915/8904924.pdf
- http://toydefenser.com/uploads/1/3/0/2/130272638/rivenim_lelavizegeni.pdf
- http://detailinggreensboro.com/uploads/1/3/0/2/130291827/nifufuzutojuzusurive.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off000072b0.bin` `e5f67b1c9af9034245694ad111de4625751599dbc9e3bfbf479cb255e4e7c842`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x72B0	7884 bytes
`font_01_sfnt_off0000919c.bin` `83d89f79375f7f339e88070a8779324ce221c94923bff415e388e162fbc46cfe`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x919C	2604 bytes
`font_02_sfnt_off00009acf.bin` `e09dc7ad56e8e1526617d285a6dd034ca63295bb8ba21112af6060cda82e9610`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9ACF	16272 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.