Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b16302b2f2249c3…

MALICIOUS

PDF

38.9 KB Created: 2020-03-25 01:02:06 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 59f16427ab74ba428c85dd5782f47ab9 SHA-1: 99b3632b39f4722327d9e55c44598ab683df73a7 SHA-256: 1b16302b2f2249c3241d9a13ec21b19618eeb6f6179b25f2620de3addf794bd3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links pointing to various PDF files on different domains. This behavior is indicative of a link farm or a mechanism to distribute malicious content across multiple sites. The document body, though partially corrupted, contains a URL that aligns with the observed link farm pattern. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://askaugustine.com/uploads/1/3/0/6/130620234/130620234.html#reproduccion+en+bacterias+transduccion
    • http://www.mrsjcowhy.com/uploads/1/3/0/6/130639155/5047341.pdf
    • http://realpllc.com/uploads/1/3/0/5/130550972/fivojepazu.pdf
    • http://webdisk.prayerknight.com/uploads/1/3/0/8/130874110/f259b593c76dc1.pdf
    • http://moodmetals.com/uploads/1/3/0/8/130814311/de1f6dc.pdf
    • http://trippytreatzllc.com/uploads/1/3/0/3/130323311/3117880.pdf
    • http://autodiscover.jenr8.com/uploads/1/3/0/6/130639363/7497d8596af.pdf
    • http://autodiscover.kaz.ch/uploads/1/3/0/3/130379199/wipati-nimulefezezituf.pdf
    • http://apexppt.com/uploads/1/3/0/6/130604720/3815776.pdf
    • http://cpcontacts.mightymeats.co.za/uploads/1/3/1/0/131070051/5871668.pdf
    • http://taitscapes.net/uploads/1/3/0/8/130815351/xatas.pdf
    • http://ocartguide.net/uploads/1/3/0/3/130323564/4344435.pdf
    • http://cbmusicandrepairguy.info/uploads/1/3/0/4/130483043/69b1b8dc33b9.pdf
    • http://interviewstogogo.com/uploads/1/3/0/4/130476091/498112103e15.pdf
    • http://table-and-vase.com/uploads/1/3/0/4/130489776/digiligakufuj_sotasom_vigotejemojux_zirojunimi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006de1.bin
b4a986ba7d09b84a86334b654e41d039c7e7e3cb967ca2bf7ec96eaedd357c66		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DE1 8440 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.