PDF malware analysis — malicious · 6a3c01606d4812cc

MALICIOUS

PDF

68.1 KB Created: 2021-03-22 01:54:25 +02:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 0b5ddec7752a1dd4c2668ba91fac87c0 SHA-1: 437f6943b700ff460d3c6a6b50b66099a0312b48 SHA-256: 6a3c01606d4812cc65df1b329d1a5a05d9d0bab4675af639550d009a05cacdb7

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains numerous external links, with a specific heuristic identifying it as a 'PDF_SEO_LINK_FARM'. The primary external URL points to a keyword-rich search result, suggesting a tactic to drive traffic to potentially malicious or spammy websites. While no scripts were extracted, the PDF structure and heuristics indicate a malicious intent to redirect users.

Machine Learning

Nyx PDF Classifier malicious score 0.7003

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL https://xezojetit.ru/award?keyword=biblia+de+estudio+pentecostal+pdf+gratis
- https://cdn-cms.f-static.net/uploads/4455907/normal_6038ca2db0000.pdf
- http://help-copyrighteamservice.com/59101669353nkgzo.pdf
- http://nurigoluda.mygamesonline.org/cash_basis_vs_accrual_basis_example.pdf
- https://cdn-cms.f-static.net/uploads/4490133/normal_601fe1482995e.pdf
- https://cdn-cms.f-static.net/uploads/4421959/normal_604831f13ab6d.pdf
- http://sutiboju.sportsontheweb.net/what_is_the_salary_of_electrical_engineer_in_pakistan.pdf
- https://cdn-cms.f-static.net/uploads/4381302/normal_60485ab191c42.pdf
- http://feldhaus-klinker-plitka.ru/alpinestars_tech_air_manualc1rpd.pdf
- http://sozawakofuriwoj.getenjoyment.net/dedanesakitep.pdf
- http://momentikshop.space/776730724sw1w3.pdf
- http://ijmalan.xyz/ti_nspire_cas_cx_iiq07vt.pdf
- http://tezoxefakalexo.sportsontheweb.net/energias_renovables_en_mexico_2020.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://dc383e6d-b7a3-4e67-a88a-227fa542b6c3.filesusr.com/ugd/72b0e7_86cc26a14e92413a93eaad6c444dca90.pdf?index=true
- https://e05653fc-386e-4c8b-889d-738aee72c63e.filesusr.com/ugd/62421a_7182b4b3ccde458aa7adec40791d110c.pdf?index=true
- https://fa53e508-d88d-41cb-897c-7a5b6f1bfcc3.filesusr.com/ugd/361045_4e627efc8d82409ba491e992b47c1e58.pdf?index=true
- https://s3.amazonaws.com/veledabejufi/hvac_scope_of_work.pdf
- https://78905da9-dd21-4190-abaa-c894c042e703.filesusr.com/ugd/851c7c_c48c98c1569f49698697361c526c9843.pdf?index=true
- https://s3.amazonaws.com/tobojelusiwi/best_chrome_manager_reddit.pdf
- https://d78d2789-9aef-4bfd-88be-9093bec910ef.filesusr.com/ugd/87a178_5e20a88cd8784858aa89ea96c9f9aaac.pdf?index=true
- https://0621cc9e-6449-4e8a-a8bd-baee9ad62a2c.filesusr.com/ugd/affb4a_8056dc16a73f4e0eac6da9fb9b1d1339.pdf?index=true
- https://d046670e-94b8-4ea2-8efc-69fca9b502c9.filesusr.com/ugd/c0b427_f337d6de9052424ba4e360d3cc517953.pdf?index=true
- https://s3.amazonaws.com/gofilafixu/xeloranekonukegerozakutak.pdf
- https://a001dc82-f31e-4944-9b76-0a8e602b6855.filesusr.com/ugd/e4ee87_83d1d10c7ca441f784f9ff2e630e7ed2.pdf?index=true
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000ede9.bin` `afc3d341366b05069426f5bfd3a133c2976ca8b74693d5ecd484186cc0aa80c1`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xEDE9	5512 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.