PDF malware analysis — malicious · 5ef0ad8811bfe099

MALICIOUS

PDF

46.3 KB Created: 2020-04-03 18:15:32 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 10371d6d13dfd9c21dbe078706225082 SHA-1: 8fe80f4f2282b87d345ada98a0bb734f307944f3 SHA-256: 5ef0ad8811bfe0995678d6a25b1bb00fb4d8a1981ae5363dc6d5233203b99d2d

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

This PDF file exhibits characteristics of a link farm, containing numerous external URLs disguised as a firmware update. The ML classifier strongly indicates maliciousness, and the PDF_SEO_LINK_FARM heuristic confirms the presence of a mass of external links, likely intended to redirect users to malicious sites. No scripts were extracted, but the document body and heuristics point towards a social engineering tactic to drive traffic to potentially harmful content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://annkellettghostwriting.com/uploads/1/3/1/4/131406930/131406930.html#onkyo+tx-nr616+firmware+update+usa
- http://dodafit.com/uploads/1/3/0/2/130272582/2843444.pdf
- http://instlarcafe.com/uploads/1/3/0/2/130289583/jikumerewalu_bakez_xonudaret_jozolelazimog.pdf
- http://angela-devine.com/uploads/1/3/0/5/130588688/1325836.pdf
- http://dimaggioconstruction.com/uploads/1/3/0/4/130477245/tidozejabadaw.pdf
- http://zimpat.net/uploads/1/3/0/4/130483550/1251991.pdf
- http://alexaleighfletcher.com/uploads/1/3/0/6/130604434/d27a02085707.pdf
- http://gchameleon.com/uploads/1/3/0/6/130639538/puxixomete.pdf
- http://cliktok.com/uploads/1/3/1/3/131382696/3367237.pdf
- http://danielamora.com/uploads/1/3/0/5/130551994/worabeviful.pdf
- http://appropertysolutions.net/uploads/1/3/0/2/130288802/f3497f1a.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006de9.bin` `423e7fc5694f4273cdd8747c96c3927ca88d207e1c689e828fd3590f9863b7c4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DE9	7904 bytes
`font_01_sfnt_off00008cbd.bin` `a56bd5ca61d7c27fcf76b48a55b46fabe7ae1264652afd3190dbadd76b62d8e6`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8CBD	2628 bytes
`font_02_sfnt_off0000960b.bin` `2f79ba52acca039e5c354f09c372eb8b3e5c303dfc88b98fa2ec462876c681ba`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x960B	16160 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.