PDF malware analysis — malicious · 85f5228c7842feb8

MALICIOUS

PDF

57.5 KB Created: 2020-03-08 02:35:55 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 07c016abbaae413ab054df7037303258 SHA-1: 134a7b7f239ac4936cce1a8e77a55e757e5960b2 SHA-256: 85f5228c7842feb8be07ca9790119f9df4d050e3d9a16154a4fb4e106526d021

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links to other PDF documents hosted on various domains. This behavior is indicative of a link farm, often used for SEO manipulation or to distribute malicious payloads. The ML classifier strongly flagged this PDF as malicious, supporting the assessment of a malicious intent. No scripts were extracted, and the document body was heavily obfuscated, limiting further analysis of specific content.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://host2.creativedatainc.com/uploads/1/3/0/7/130776074/130776074.html#jk+agrarian+reforms+act+1976+pdf
- http://canbabaoglu.com/uploads/1/3/0/5/130545087/bulafiwajib.pdf
- http://newportheightsmc.com/uploads/1/3/0/5/130550732/tugim-puzow-roxetu.pdf
- http://stlouistriathlon.com/uploads/1/3/0/7/130738701/4341409.pdf
- http://southafricanwineandfood.com/uploads/1/3/0/3/130323222/lalevajeda.pdf
- http://keystoneconcealment.com/uploads/1/3/0/3/130313403/fetepojiralos_kavikura_varujovovazig_budemadara.pdf
- http://led-ombouwset.nl/uploads/1/3/0/6/130640047/5133951.pdf
- http://timtucker.tv/uploads/1/3/0/5/130539979/sirexufiz.pdf
- http://brucepeninsulaadventure.com/uploads/1/3/0/3/130379479/4f7a8c0b.pdf
- http://lachlanvalleyroofing.com/uploads/1/3/0/4/130476628/vuzevuranufixes.pdf
- http://www.shopalittltesomethingph.com/uploads/1/3/0/7/130739053/rofarujuj.pdf
- http://2020videoreviews.com/uploads/1/3/0/2/130289354/fopigojiki_pekarefizimuba_feranoluxodidi_neputal.pdf
- http://www.legitlease.com/uploads/1/3/0/7/130739664/317991232c.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00009b76.bin` `b095009e1aa7b679086a2dd093949a1e2bfdfa179c83d9e64a20210f199a406d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9B76	1544 bytes
`font_01_sfnt_off0000a2e6.bin` `74f76e304d78deefe3c1430a34dccfc6d7c5df340c1081fd84dd991883eb0de4`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA2E6	8524 bytes
`font_02_sfnt_off0000c3a1.bin` `779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xC3A1	16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.