PDF malware analysis — malicious · 49957aeeff82e543

MALICIOUS

PDF

43.9 KB Created: 2020-03-25 13:18:56 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: b4b86b015e10c63cfa30b27dc9ae3507 SHA-1: 1e1bfb7535159ed1fb3b171d5f4510b0745dee23 SHA-256: 49957aeeff82e5437d5e6b54948b07c6fc3e2880b06446507eb027f283693460

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic, pointing to various PDF files hosted on different domains. The document body, though partially corrupted, includes the text 'Tipos de metamorfismo de las rocas' and references to wkhtmltopdf, suggesting a potential SEO spam or redirection scheme. The primary function appears to be directing users to a network of external resources rather than delivering a direct payload.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://wellreadpro.net/uploads/1/3/0/9/130968981/130968981.html#tipos+de+metamorfismo+de+las+rocas
- http://happyvids.com/uploads/1/3/0/5/130590029/wonudemevuwopodetuv.pdf
- http://www.skinboostlab.org/uploads/1/3/0/2/130289557/mesezowizemoku.pdf
- http://anotherwayguitar.com/uploads/1/3/0/6/130640232/puvadixame.pdf
- http://www.desert-snow.com/uploads/1/3/0/7/130740050/cc3af9.pdf
- http://leakrepairseattle.com/uploads/1/3/0/5/130589277/69be6d1e95144.pdf
- http://type23.net/uploads/1/3/0/7/130775107/3524103c549.pdf
- http://nynjpropertyinspections.com/uploads/1/3/0/7/130738637/xaxokularu-vetezewedodox-muvatik-kukilowatarad.pdf
- http://quarkinstitute.org/uploads/1/3/0/4/130489175/5ed6aa.pdf
- http://butterfliesandsweat.com/uploads/1/3/0/6/130621995/gosixeboramor_zuvewejomapowox.pdf
- http://mchcsaint.com/uploads/1/3/0/3/130313087/detazefotujunukasa.pdf
- http://ausalon.com/uploads/1/3/0/5/130552034/5777446.pdf
- http://barnproduction.com/uploads/1/3/0/8/130813846/bbb5d29e2c5.pdf
- http://www.need4apps.com/uploads/1/3/0/5/130589371/gokuzesiduselo.pdf
- http://www.a2zgeneralconstruction.com/uploads/1/3/0/6/130639386/0d701f7bdf223.pdf
- http://hollowrocktenkiller.com/uploads/1/3/0/3/130323227/7453564.pdf
- http://www.bigd401k.com/uploads/1/3/0/3/130323888/mixediges.pdf
- http://independentit.net/uploads/1/3/0/2/130287953/4f628ece3b9.pdf
- http://www.laplatapelotherapy.com/uploads/1/3/0/8/130874416/pudipumepudejoz_woxekokera_vutumu_pumoguwo.pdf
- http://architechart.com/uploads/1/3/0/6/130621432/vetusegulito-febumipefeku-nepudinewega.pdf
- http://abundant-lifechurch.com/uploads/1/3/0/7/130739280/2593214.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000789d.bin` `aa32373c2d23d53182517e19ec96d776052a459c40bff82648dc184c9356edfa`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x789D	8072 bytes
`font_01_sfnt_off00009662.bin` `bb66d78edca8aa75a8db461931e44ad6eab12e4cd439df836d92d13c6ef6c22d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9662	2668 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.