PDF malware analysis — malicious · bc757df2e50856ce

MALICIOUS

PDF

46.7 KB Created: 2020-03-16 02:50:18 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 21778382cbcb0f176803fe45cd70a43d SHA-1: 92e69a05a13edf5fc87f27bdc12c20206cc189e1 SHA-256: bc757df2e50856ceec72ffd2ca1c9c9c30d4eec2effcbc6f21950353f0746dd5

96 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many of which are structured as SEO-friendly URLs pointing to PDF documents. The heuristic 'PDF_SEO_LINK_FARM' indicates a high likelihood of this being a link farm designed to distribute malicious content. The ML classifier also flagged this PDF with high confidence. The primary attack pattern involves luring users with a seemingly innocuous document title to click on one of the embedded links, which likely leads to a malicious payload or phishing page.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://adsl-63-204-18-30.benefitplans.org/uploads/1/3/0/6/130620820/130620820.html#app+inventor+2+book+pdf
- http://riseshine.com.au/uploads/1/3/0/4/130483070/lijuzovaxe.pdf
- http://www.ejkconsultants.com/uploads/1/3/0/3/130313106/1729e88.pdf
- http://andrephilippephoto.net/uploads/1/3/0/5/130539553/3220934.pdf
- http://www.olinthompson.com/uploads/1/3/0/4/130476574/4818579.pdf
- http://gncseattle.com/uploads/1/3/0/7/130740556/ccd0bff3a4.pdf
- http://sonsetministries.com/uploads/1/3/0/3/130323167/5905331.pdf
- http://careersinmentalhealth.com/uploads/1/3/0/6/130605493/3888079.pdf
- http://noosalittlecove.com/uploads/1/3/0/6/130620283/rebarubor-rawuwidijuvur.pdf
- http://jackpassions.com/uploads/1/3/0/6/130621912/jonikunubanadu-bajoxegukenel.pdf
- http://daviegaragedoornc.com/uploads/1/3/0/3/130323285/74f062.pdf
- http://www.puriri-wiltshire.co.nz/uploads/1/3/0/8/130813558/majigi-mosirogavuxi-zotubova-temoruvuluve.pdf
- http://aliahjan.co.nz/uploads/1/3/0/5/130588778/c57ddd09f4ac0.pdf
- http://ameliaquilts.com/uploads/1/3/0/2/130291800/gagobareloj_vemasiteben.pdf
- http://weneedtotalkaboutmentalhealth.com/uploads/1/3/0/6/130620453/7223323.pdf
- http://percussify.com/uploads/1/3/0/5/130590162/6348711.pdf
- http://oktakstas.com/uploads/1/3/0/8/130874039/lizuw.pdf
- http://swimhair.com/uploads/1/3/0/2/130272353/4310230c560b54.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00008dce.bin` `5690ae60b3f095c4a9dda525916a13deec6b243d292daa5c203ddb1899d99b8d`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x8DCE	8328 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.