PDF malware analysis — malicious · 71bba3d7a9375da0

MALICIOUS

PDF

31.4 KB Created: 2020-04-01 18:33:35 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 4ec455f82146fb2be3d0f31f988bff21 SHA-1: 4473aaa9c61317f102992b661c3ec7d9158152de SHA-256: 71bba3d7a9375da042b776d05f0c5530da7e7d79bc694adfd493dbe7831e81a4

156 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF contains a large number of embedded external links, a technique often used for SEO spam or to redirect users to malicious sites. The ClamAV detection 'Pdf.Dropper.Agent-8678626-0' and the ML classifier strongly indicate malicious intent. While no scripts were explicitly extracted, the PDF structure and embedded links suggest it acts as a dropper or lure, likely leveraging embedded JavaScript to facilitate the redirection or payload delivery.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 5

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
ClamAV: Pdf.Dropper.Agent-8678626-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Pdf.Dropper.Agent-8678626-0
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://glasgowmtairport.com/uploads/1/3/0/9/130969607/130969607.html#hp+compaq+la2405x+driver+windows+7
- http://griesbachrecycling.com/uploads/1/3/0/4/130436074/vopujukazodobar-suremorawafewa.pdf
- http://pinckardmedia.com/uploads/1/3/0/6/130621179/9631220.pdf
- http://duckworthhomeimprovement.net/uploads/1/3/0/6/130621989/4564452.pdf
- http://benkipiyako.org/uploads/1/3/0/8/130874046/xuzademinexunu.pdf
- http://theinformaters.com/uploads/1/3/0/2/130287457/sosenus.pdf
- http://hullcommunityshop.org/uploads/1/3/0/7/130738771/1289951.pdf
- http://fattyouthtodc.com/uploads/1/3/0/5/130590287/147605.pdf
- http://markkraemer.net/uploads/1/3/0/8/130874316/a9cba9c11d8e5.pdf
- http://www.nmawhc.org/uploads/1/3/0/8/130814460/xebufebagu_vujub_tetajibusumubad.pdf
- http://speechconsultnow.com/uploads/1/3/0/5/130590400/1766477.pdf
- http://princessplie.net/uploads/1/3/1/0/131069838/1345719.pdf
- http://generation-gap-restorations.com/uploads/1/3/0/8/130874352/daropajalan.pdf
- http://loveforlatvia.org/uploads/1/3/0/8/130813818/9266375.pdf
- http://willowlight.org/uploads/1/3/0/7/130775520/446d4.pdf
- http://ecb-homes.com/uploads/1/3/1/3/131379485/534c33a.pdf
- http://prophits.net/uploads/1/3/0/6/130639698/2955341.pdf
- http://jacquelinesfaceatelier.com/uploads/1/3/0/7/130739498/7197541.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00005617.bin` `8ea8118679b17a243abb71a1345851d1e01ecab225ef8fdd7b614c3ae37f2350`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x5617	6604 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.