PDF malware analysis — malicious · c3b9ba9f5d62e51a

MALICIOUS

PDF

53.5 KB Created: 2020-03-24 20:45:43 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 9b823e64f309508acbebf8b49aaa239c SHA-1: 7740e3c1480f3dd60ce76eb2ec87817856816cfe SHA-256: c3b9ba9f5d62e51a45ee9f670bd307a977fa500de47e9fa639293697736c9465

92 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF contains a large number of external links to other PDF files hosted on various domains, indicating a link farm or distribution mechanism. The ML classifier strongly flagged this PDF as malicious. The primary intent appears to be directing users to a wide array of external resources, potentially for SEO manipulation or to serve as a landing page for further malicious activity.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://hardhathomeinspection.com/uploads/1/3/0/7/130740363/130740363.html#fue+poeta+vanguardista+espa%C3%B1ol+juan
- http://www.youneverthought.com/uploads/1/3/0/3/130379362/buzuguza-zivupasidirino.pdf
- http://dan-lynch.com/uploads/1/3/0/7/130775763/xojozeforexawilutoba.pdf
- http://bubblesquad.net/uploads/1/3/0/6/130620467/3902176.pdf
- http://toming90.com/uploads/1/3/0/5/130590482/moxam_zoberer_bitotelivuzew.pdf
- http://flyfishingteamusa.org/uploads/1/3/1/1/131164052/e83f66178d0309.pdf
- http://realtorhomesolutions.net/uploads/1/3/0/7/130739996/pojasekejavon.pdf
- http://www.urban-elegancee.com/uploads/1/3/0/4/130488251/tazabezif.pdf
- http://www.ehsankhaleghipro.com/uploads/1/3/0/6/130604101/jujamovoz.pdf
- http://www.robshadow.com/uploads/1/3/0/2/130270752/vilatam.pdf
- http://andrewslawncare.org/uploads/1/3/0/8/130814229/60e714ee30e8f.pdf
- http://www.ahindo.online/uploads/1/3/0/8/130814129/6140783.pdf
- http://scottscommercialservices.com/uploads/1/3/0/8/130814347/7166939.pdf
- http://hostmaster.newyorker.beer/uploads/1/3/0/2/130289431/2a018b78c.pdf
- http://martinautoplacement.com/uploads/1/3/0/7/130739210/4156956.pdf
- http://pertego.com/uploads/1/3/0/2/130291588/jawolaxaza_mejebawepuk_jimav.pdf
- http://mishareads.com/uploads/1/3/0/4/130435791/disevibuv.pdf
- http://i-systemsmw.net/uploads/1/3/0/9/130969840/b297d590ffa.pdf
- http://durancocontracting.com/uploads/1/3/0/4/130489090/60b7862523d.pdf
- http://agilitytg.com/uploads/1/3/0/5/130588376/d82839b.pdf
- http://www.stormwatchnorth.net/uploads/1/3/0/4/130476076/1723826.pdf
- http://ozanoner.com/uploads/1/3/0/5/130539940/rutulano.pdf
- http://thepalominohawaii.com/uploads/1/3/0/6/130603979/3760689.pdf
- http://radicallyawakenedmasters.com/uploads/1/3/0/3/130313427/b97fd0f322a.pdf
- http://3505brunell.net/uploads/1/3/0/5/130551832/c79a13f2c75669.pdf
- http://chagrinfanexpress.org/uploads/1/3/0/6/130620438/lupetebisodigewoze.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off0000a421.bin` `03a4179197236cfce67a813a676df7c7893fbca590bb8340480400ca3693c584`	pdf-font-stream	PDF embedded font (sfnt) at offset 0xA421	9500 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.