PDF malware analysis — malicious · 38667a9a876124f8

MALICIOUS

PDF

110.0 KB Created: 2020-04-11 02:40:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: d5b1cb7ed58604ea7a426a8ffd0dfb41 SHA-1: 338ef38d70125db696738c7ab74935f0ae3b1ca9 SHA-256: 38667a9a876124f831521e3c66fa74452346947002701ffb762f2361621f9254

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier also strongly indicated maliciousness. The primary function appears to be directing users to a multitude of other PDF files hosted on various domains, likely as part of an SEO spam or content distribution scheme.

Machine Learning

Nyx PDF Classifier malicious score 0.9998

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://downsideupphoto.com/uploads/1/3/0/6/130620858/130620858.html#%D9%82%D8%A7%D8%B9%D8%AF%D8%A9+%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA+%D9%84%D9%84%D9%86%D8%B8%D9%85+%D8%A5%D8%AF%D8%A7%D8%B1%D8%A9+%D8%A8%D9%8A%D8%A7%D9%86%D8%A7%D8%AA+%D8%A7%D9%84%D8%AE%D8%B1
- http://enjinexperts.com/uploads/1/3/1/4/131406438/5189374.pdf
- http://medizinbuddhaberlin.org/uploads/1/3/0/5/130539458/kuxagim-pibibinefavop.pdf
- http://shahwar.info/uploads/1/3/0/4/130436339/fubarurotama.pdf
- http://menstrualmagic.com/uploads/1/3/1/3/131379059/moriwigapejuvif.pdf
- http://proactiveimmigration.com/uploads/1/3/0/6/130620494/7004902.pdf
- http://premiumautocare1.com/uploads/1/3/1/4/131482866/jiwakopof_lufifusu.pdf
- http://duanyministry.org/uploads/1/3/0/5/130550968/pazojof.pdf
- http://scottmemorialcog.com/uploads/1/3/1/3/131379919/ruxeza.pdf
- http://northernlightsperuvianhorseclub.com/uploads/1/3/0/6/130604281/5920279.pdf
- http://simplybyshiloh.com/uploads/1/3/0/2/130287284/98e2bbbaafb449f.pdf
- http://plsthillspagardnclub.com/uploads/1/3/1/4/131453650/fopenaguseja.pdf
- http://simplifiedbliss.com/uploads/1/3/1/3/131380128/laxevili.pdf
- http://thepaintedvinecellar.com/uploads/1/3/0/6/130639971/3263593.pdf
- http://myportfoliofits.com/uploads/1/3/0/5/130589246/momolonuvexef-nigukilo-zalukowixijesuz.pdf
- http://thehartmanfoundation.com/uploads/1/3/0/6/130603823/vejalixuboposur-fagebu.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_004_off00016f25.bin` `4c66e70d05f257e74242e58e9c8a632575e47cb3f6ee57428082f6f195acd574`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0x16F25	32680 bytes
`font_00_sfnt_off00014d5b.bin` `82787cc1f1e184f79a0d3f2f0cae8c05802ebaf1cc290152fa579aa46b8a1515`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x14D5B	8984 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.