PDF malware analysis — malicious · 3acbce5d16659dce

MALICIOUS

PDF

45.8 KB Created: 2020-03-21 13:08:06 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: a3393382af840645911115997cc389b6 SHA-1: 6e06d9630f16408b8430c30c1e8b7ae64fc5d0b7 SHA-256: 3acbce5d16659dce8fceafdfead34c386c51cd7d0f107f9540553830dfeba6a2

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious Link

This PDF document employs a link farm technique, embedding numerous URLs that point to external PDF files hosted across various domains. The document's apparent purpose is to disguise malicious activity by presenting a seemingly innocuous topic like a wiring diagram. The ML classifier strongly indicated maliciousness, and the PDF structure reveals a mass of external links, suggesting a potential distribution or redirection mechanism.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://advance-it.net/uploads/1/3/0/7/130740086/130740086.html#power+wheels+pedal+wiring+diagram
- http://74-123-78-81.mgwnet.com/uploads/1/3/0/7/130776446/de642.pdf
- http://jamtx.com/uploads/1/3/0/2/130287239/afa00.pdf
- http://generationhit974.com/uploads/1/3/0/4/130488694/luxeba_tijupovezopuxaf_gewosiwukiw.pdf
- http://behdar.net/uploads/1/3/0/2/130270974/kiledafexomunodu.pdf
- http://crawleybrothersllp.com/uploads/1/3/0/6/130639801/xokuke.pdf
- http://seaturtlepaperstrawcompany.com/uploads/1/3/0/4/130436318/sadolekipoloxo_jetot_wifewa_nobitaluk.pdf
- http://questtechusa.net/uploads/1/3/0/4/130488288/xuvitiwagif.pdf
- http://prouni2024.com/uploads/1/3/0/3/130323286/tufaloramip.pdf
- http://norrischildcare.com/uploads/1/3/0/7/130776517/1a842.pdf
- http://hasiam.com/uploads/1/3/0/6/130604556/9138579.pdf
- http://www.knightsinnhotel.com/uploads/1/3/0/7/130739503/rapekoja.pdf
- http://ritmischgym.com/uploads/1/3/0/2/130291572/6873150.pdf
- http://www.blushingbrideboutiqueltd.com/uploads/1/3/1/1/131163953/951e812f.pdf
- http://noramanca.com/uploads/1/3/0/2/130291783/koripesariv.pdf
- http://fromcolorado.com/uploads/1/3/0/7/130739032/4500851.pdf
- http://jandbspetmeat.com/uploads/1/3/0/6/130620603/gokita-tubofenujovij-witafile.pdf
- http://lamalqueridamg.com/uploads/1/3/0/2/130271207/3987072.pdf
- http://www.plethoraofpigs.ca/uploads/1/3/0/8/130873830/pudim_gexagoli_pibuxanonutog_nemitotev.pdf
- http://elevatedaspects.net/uploads/1/3/0/6/130639428/mazetolizijezob.pdf
- http://orleegolden.com/uploads/1/3/0/4/130475955/8c0c84c4.pdf
- http://flourishphd.org/uploads/1/3/0/4/130491594/linokisidizoxonulil.pdf
- http://142ellert.com/uploads/1/3/0/9/130969151/351d071.pdf
- http://ngabwe.com/uploads/1/3/0/7/130739763/093c2c7c02cbef3.pdf
- http://mail.nccevangelicalchurch.org/uploads/1/3/0/7/130775858/58367ca2d03e.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000896b.bin` `3c7b71fc6db08028be83cd08e2e8204e040ae8107aa5db0d45f13bb10a3a2ced`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x896B	8232 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.