PDF malware analysis — malicious · 6c095c1abae44d77

MALICIOUS

PDF

79.9 KB Created: 2020-06-09 10:32:40 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 5af1fd885fbb9919e67a1ba87db0d826 SHA-1: 9b20fb503f451116f32fb78da85bb6c253c22ab8 SHA-256: 6c095c1abae44d773e641be06e598fcc25a0449c8d5031ad05f5e8d7c5baaa65

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, flagged as a link farm, suggesting a malicious intent to redirect users. The ML classifier also strongly indicated maliciousness. While no scripts were directly extracted, the PDF structure and embedded URIs are indicative of a phishing or malware distribution attempt.

Machine Learning

Nyx PDF Classifier malicious score 0.9999

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://pierredthomasgallery.com/uploads/1/3/0/7/130775021/130775021.html#%25D9%2582%25D8%25B5%25D8%25B5+%25D8%25A7%25D9%2584%25D8%25A5%25D8%25AE%25D9%2588%25D8%25A9+%25D8%25AC%25D8%25B1%25D9%258A%25D9%2585+%25D8%25A8%25D8%25A7%25D9%2584%25D8%25A3%25D9%2584%25D9%2585%25D8%25A7%25D9%2586%25D9%258A%25D8%25A9
- http://monoki.org/uploads/1/3/0/8/130814342/4214564.pdf
- http://mail.lawn-rite.com/uploads/1/3/0/6/130639719/kixibiloji.pdf
- http://roadspiritbells.com/uploads/1/3/0/3/130313541/nirijilivaga.pdf
- http://christeymader.com/uploads/1/3/0/6/130605426/5158672.pdf
- http://jakeglobox.com/uploads/1/3/0/9/130968963/1691287.pdf
- http://chrisbeacock.com.au/uploads/1/3/0/7/130775519/c54b7546ed32.pdf
- http://d18wj.dtmgt.com/uploads/1/3/0/3/130323957/kadofizi.pdf
- http://kariongphysiotherapy.com/uploads/1/3/0/5/130588923/2825192.pdf
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://bokisutedex.files.wordpress.com/2020/06/wokemitoniliriju.pdf
- https://zomoxazira.files.wordpress.com/2020/06/60006621596.pdf
- https://zisagan.files.wordpress.com/2020/06/dujozofalunug.pdf
- https://piledina.files.wordpress.com/2020/06/malakinu.pdf
- https://xovupizi.files.wordpress.com/2020/06/98705454930.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://dejavu.sourceforge.net
- http://dejavu.sourceforge.net/wiki/index.php/License
- http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_003_off0000d873.bin` `02481d8c241ef6261d6de333e670dd232c590f03f82c60481653f5396b7a001e`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xD873	32176 bytes
`font_01_sfnt_off0001101c.bin` `86ad409b9f0559fb241b0e6494136d283259fac665651a96f8cd464f3f841385`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x1101C	9572 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.