PDF malware analysis — malicious · 59cca9eef1f08296

MALICIOUS

PDF

123.2 KB Created: 2020-03-11 04:07:41 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: e65eefbc46f5c1af527f22ccbfdd8cc2 SHA-1: 4f6799354542535afe9e7a7298a7f4e4e2642204 SHA-256: 59cca9eef1f0829671a80b7c5158f4d4a9434bb7c678e69eaf34bbf99f884935

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF contains a large number of external links, many of which are dynamically generated and point to PDF files with numeric slugs. The document body, though partially corrupted, contains a URL that matches one of the extracted links, suggesting a lure to a malicious website. The ML classifier strongly indicated maliciousness, and the PDF structure is indicative of a link farm used for SEO poisoning or phishing.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://74-123-76-48.mgwnet.com/uploads/1/3/0/7/130739986/130739986.html#acne+vulgaris+guideline+2016
- http://midcoastconsult.com/uploads/1/3/0/6/130605017/wiravewideroko-jikevurojate-surakedorosog.pdf
- http://greenearthteen.com/uploads/1/3/0/6/130620701/c1e85.pdf
- http://race4achievment.org/uploads/1/3/0/4/130476065/2018531.pdf
- http://arisbay.com/uploads/1/3/0/6/130604666/b02341416a0e4.pdf
- http://ramblinghouseshow.com/uploads/1/3/0/3/130313200/1626cad.pdf
- http://www.shrewddigital.com/uploads/1/3/0/2/130274343/tilipadasudatorebif.pdf
- http://theconglamerate.com/uploads/1/3/0/6/130621330/6ad54b76.pdf
- http://taptep.com/uploads/1/3/0/6/130620965/latesukabupopofapowa.pdf
- http://westboro-apts.ca/uploads/1/3/0/5/130551374/79fc1826d6f2.pdf
- http://www.cbvupholstery.com.au/uploads/1/3/0/6/130621818/tumovawufovawipuvol.pdf
- http://www.susannamazzola.com/uploads/1/3/0/5/130588352/fefosibuwatifazureja.pdf
- http://nightingaleicecreamsandwiches.com/uploads/1/3/0/8/130873962/fofimisixuw.pdf
- http://reedlibbey.com/uploads/1/3/0/7/130739480/lebixeve-vogiv-panetoxezetez.pdf
- http://topluminosity.org/uploads/1/3/0/5/130545128/gevomijup_wovusi.pdf
- http://energyfreelivingathome.com/uploads/1/3/0/2/130271042/wadadamusamimuf.pdf
- http://vincentpecoraro.com/uploads/1/3/0/5/130588207/0e05361c179d.pdf
- http://arnolddesignresources.com/uploads/1/3/0/6/130639712/35019b9fa3.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0001ba41.bin` `94a6ac39e65b475e081b63b9e5eca2cb7f7d27b39e0e074785a51fc58ba63021`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1BA41	9604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.