PDF malware analysis — malicious · 85d118e2d5f7019c

MALICIOUS

PDF

30.5 KB Created: 2020-06-05 15:29:36 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)

MD5: 1005b74869a079b352053573a20cef53 SHA-1: bc1cc1f1b0baa4ac76416cce5f67ee28fd123d64 SHA-256: 85d118e2d5f7019c1c85aa33632a7269f85746e7107c6f7db6b3bc993cd6bec6

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.007 JavaScript

The PDF document contains numerous external links, many of which are structured as a link farm, suggesting an attempt to drive traffic to potentially malicious sites. The document body, though partially corrupted, contains text related to 'Biozone answers free' and embedded URLs, indicating a lure for users to click through to external content. No scripts were extracted, but the PDF structure and extensive link farm heuristic strongly suggest a malicious intent to redirect users.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://mta-sts.douglindsayreserve.com/uploads/1/3/0/7/130776118/130776118.html#biozone+answers+free
- http://narrinspiceandsauce.com/uploads/1/3/0/5/130588289/rowegenijonogi.pdf
- http://promotenyc.org/uploads/1/3/0/5/130540420/8538012.pdf
- http://1bv.undesirable.us/uploads/1/3/0/3/130313274/3026686.pdf
- http://milversteadapps.com/uploads/1/3/0/9/130969835/534124.pdf
- http://iafaindy.com/uploads/1/3/0/4/130479008/lolof.pdf
- http://matsbalko.com/uploads/1/3/0/7/130776341/7162916.pdf
- http://ayurwellbeing.com/uploads/1/3/0/4/130436093/8115455.pdf
- http://mta-sts.douglindsayreserve.com/uploads/1/3/0/7/130776118/terms.html
- http://mta-sts.douglindsayreserve.com/uploads/1/3/0/7/130776118/dmca.html
- http://mta-sts.douglindsayreserve.com/uploads/1/3/0/7/130776118/policy.html
- http://www.ascendercorp.com/
- http://www.ascendercorp.com/typedesigners.html
- https://nagebametodo.files.wordpress.com/2020/06/42148933204.pdf
- https://mugitemos.files.wordpress.com/2020/06/sumomexeguvigobegavixup.pdf
- https://tesukejiget.files.wordpress.com/2020/06/13392159527.pdf
- https://sonisituwul.files.wordpress.com/2020/06/10036060862.pdf
- https://nopibakemega.files.wordpress.com/2020/06/84494022665.pdf
- https://sogogaba.files.wordpress.com/2020/06/8124363458.pdf
- https://butepeze.files.wordpress.com/2020/06/81640360016.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
- http://scripts.sil.org/OFL

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00004e81.bin` `8ee4f925bef8e9640e24e22d65e3d5289fbbf8589996fdfd4ecfc21a77037584`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x4E81	9236 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.