PDF malware analysis — malicious · 459def68b7d636bc

MALICIOUS

PDF

40.8 KB Created: 2020-05-15 21:10:02 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0204e6cf30fc3dd749f18f6d4cf80e72 SHA-1: 7981e9b1bca2ec0db2e3bd4786881eae416e946c SHA-256: 459def68b7d636bcaa64cb11359ef955713d2d3d24f908492baa1c20d66a0c26

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a mass of external links, many of which are numerically or generically named PDFs hosted on various domains. The document body presents a deceptive error message related to Android development to trick users into clicking these links. The primary lure appears to be the 'error android_sdk_root is undefined android studio' message, directing users to a specific URL that likely hosts further malicious content or phishing pages.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://mindfulnessbrigade.com/uploads/1/3/1/4/131407855/131407855.html#error+android_sdk_root+is+undefined+android+studio
- http://waicana.com/uploads/1/3/0/5/130538953/9bfaeb23ab05714.pdf
- http://gregoryjosephlujan.com/uploads/1/3/0/9/130969639/6376271.pdf
- http://malaguttidesigns.com/uploads/1/3/1/4/131406020/8812536.pdf
- http://kandiddesign.com/uploads/1/3/0/6/130604112/c08601e2c52.pdf
- http://nibbleincbakingco.com/uploads/1/3/0/4/130435987/5aef4.pdf
- http://belmontrealestate.net/uploads/1/3/0/4/130483322/18b46e9cf80a24.pdf
- http://adoptadapt.com/uploads/1/3/0/8/130813644/9680127.pdf
- http://spicesdepot.com/uploads/1/3/0/7/130776589/ferimulebala.pdf
- http://achsp.org/uploads/1/3/0/6/130639849/jirej.pdf
- http://encuentrosclub.com/uploads/1/3/0/6/130621850/xojezakifozesofam.pdf
- http://atlwomentowomen.com/uploads/1/3/1/1/131164471/6788491.pdf
- http://parkwayandoakwoodvistafinancing.com/uploads/1/3/0/4/130476738/4f641bdde9b4d17.pdf
- http://kelliceswaggerty.com/uploads/1/3/0/8/130814337/wetimisexale.pdf
- http://peacemvmt.com/uploads/1/3/1/6/131637311/mazenokosini.pdf
- http://classiestcritter.com/uploads/1/3/1/4/131454178/3294744.pdf
- http://shenandoahdevelopment.com/uploads/1/3/0/8/130813428/jetudo.pdf
- http://gateway1cafe.com/uploads/1/3/0/2/130289424/fd70f527d80a7df.pdf
- http://explorgraphy.com/uploads/1/3/1/4/131438113/wapufupeb.pdf
- http://andreajclphotography.com/uploads/1/3/0/6/130605278/d58bc.pdf
- http://cairnscloudsolutions.com/uploads/1/3/0/9/130970023/4204969.pdf
- http://infoprotech.net/uploads/1/3/0/3/130323181/f3760f50b94.pdf
- http://hulaforhorsemanship.com/uploads/1/3/0/7/130776511/rivowujoleregup.pdf
- http://baileyaustinfilm.com/uploads/1/3/0/2/130271072/6783691.pdf
- http://elligen.net/uploads/1/3/0/4/130483499/suderuwoteve.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006ffd.bin` `663ac4679d621411535c8ab8fc8556471fe847d5121582301ed23989235b176d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6FFD	11464 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.