PDF malware analysis — malicious · 4d9e3efa7b57b459

MALICIOUS

PDF

35.1 KB Created: 2020-06-03 23:41:23 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 9bd1b09d4d2144fd8f7686df68ac54ab SHA-1: 69909fec8981a64f55044e2db7f5ad06c1a632aa SHA-256: 4d9e3efa7b57b45918dc40f6a400eeccd2a2bd3db1ba2b614518c523a338e359

172 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF file contains a large number of embedded external links, indicating a link farm or SEO poisoning attempt. The PDF_LAUNCH heuristic firing suggests that the document is designed to trigger an action, likely directing the user to one of the numerous external URLs. The ML classifier strongly indicates maliciousness. No scripts were extracted, limiting the analysis of direct payload delivery.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
Launch action high PDF_LAUNCH

PDF contains a /Launch action with an unresolved or extension-less target — treat as potentially dangerous
Clickable PDF combines external action with parser-evasion structure high PDF_ACTION_PARSER_EVASION

PDF has an external clickable URI together with object graph or xref structures that make parsers disagree, such as divergent duplicate objects, parser divergence, or xref offset mismatch. That combination is stronger than a plain link: the document is both an outward-action carrier and a parser-confusion/evasion sample.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://smokin.tires/uploads/1/3/0/9/130969659/130969659.html#graphing+lines+and+inequalities+worksheet
- http://benjohnsontragedy.com/uploads/1/3/0/6/130605351/rasatub-fipemipinalobe-xoxum.pdf
- http://motoinspektor.com/uploads/1/3/0/5/130546457/bc5e794b.pdf
- http://alltheboxndice.com/uploads/1/3/0/2/130291712/7193950.pdf
- http://dkrhomestaging.com/uploads/1/3/0/5/130539155/d7f71296ac.pdf
- http://hostmaster.paperclippenguin.com/uploads/1/3/1/3/131397997/zosufuwu_xoniwisizap_terev_gometimotoluf.pdf
- http://ben-collie.com/uploads/1/3/1/4/131438151/loveregu-zozodojo-ropeziwafin-lobizevimaxopi.pdf
- http://launch.ctk.net/uploads/1/3/0/5/130551323/pilexenoz.pdf
- http://smokin.tires/uploads/1/3/0/9/130969659/terms.html
- http://smokin.tires/uploads/1/3/0/9/130969659/dmca.html
- http://smokin.tires/uploads/1/3/0/9/130969659/policy.html
- https://vemazoxubisi.files.wordpress.com/2020/06/84620870454.pdf
- https://nemopopa.files.wordpress.com/2020/06/wosuzipagelagixofipimak.pdf
- https://febiralugo.files.wordpress.com/2020/06/37374050690.pdf
- https://vemupuki.files.wordpress.com/2020/06/sivagesizo.pdf
- https://kosezupawi.files.wordpress.com/2020/06/98085850982.pdf
- https://zanixef.files.wordpress.com/2020/06/97679652864.pdf
- https://muwafinatub.files.wordpress.com/2020/06/sekuragan.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005e21.bin` `8f8d9d43ee300a7fe29910d114074ede54b76977226cb0f24fe0a11e592ef8d1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5E21	10076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.