PDF malware analysis — malicious · e7a7cc04a574f271

MALICIOUS

PDF

38.9 KB Created: 2020-03-23 11:07:00 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: c7ed718a40d64588a00a697badf865f2 SHA-1: b0e6a7ddbcf5e067bd69617e2b41e8ecf4c0ec6c SHA-256: e7a7cc04a574f271e09acf7a99761d195b74a6917d43deb0662be381cb0832b4

94 Risk Score

Malware Insights

MITRE ATT&CK

T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which are numerically or generically named PDFs hosted on various domains. The document body text, though partially corrupted, includes a reference to 'Juegos educativos para adolescentes gratis' and the wkhtmltopdf generator, suggesting a lure to educational games. The ML classifier strongly flagged this PDF as malicious, and the PDF_SEO_LINK_FARM heuristic indicates a pattern of generating numerous links to obscure malicious content. The primary intent appears to be directing users to a network of linked websites, likely for phishing or malware distribution.

Machine Learning

Nyx PDF Classifier malicious score 1.0000

Heuristics 4

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL

The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://johnsonandsonsservices.com/uploads/1/3/0/2/130287995/130287995.html#juegos+educativos+para+adolescentes+gratis
- http://mx.accentspcs.com/uploads/1/3/0/8/130814508/4817984.pdf
- http://litrecruiting.com/uploads/1/3/0/2/130289270/5149462.pdf
- http://wanderwell.co.uk/uploads/1/3/0/2/130272638/7963869.pdf
- http://www.poetrypush.com/uploads/1/3/0/7/130739621/7112978.pdf
- http://moneymogul.net/uploads/1/3/0/5/130589431/1866367.pdf
- http://albfseattle.com/uploads/1/3/0/8/130874567/9612493.pdf
- http://mail.david-briggs.com/uploads/1/3/0/9/130969555/gixuwulobidixar_nitenunozise_resakaxoxepi_kofisiki.pdf
- http://vaxmicuenta.com/uploads/1/3/0/8/130813306/pulipopikemob.pdf
- http://toddspectorscam.org/uploads/1/3/0/5/130545565/bejoxizibufabaxe.pdf
- http://www.simplycrafted.us/uploads/1/3/0/6/130621044/202673.pdf
- http://merakicuts.com/uploads/1/3/0/6/130620313/femulur.pdf
- http://www.lauren-teaches.com/uploads/1/3/0/5/130551927/rarugaku.pdf
- http://augustandnadia.com/uploads/1/3/0/6/130620929/famewozu_luzokilul.pdf
- http://heritageportfoliotransactions.com/uploads/1/3/0/8/130814076/b52e8d7c600.pdf
- http://clermontbusinessdirectory.com/uploads/1/3/0/7/130739449/wuxinoja-zutewixosa-toxumax.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`font_00_sfnt_off00006da4.bin` `e053849730b24cb603afe5359929d425bfb19a36eb8bf2265902a144c4326bf7`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x6DA4	8428 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.