Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b282ef9a946ee2d…

MALICIOUS

PDF

89.4 KB Created: 2020-03-23 07:31:47 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3bc27981bc249a7f13e9280716e9d68a SHA-1: ae2576a47622d1c8300c25047170dce933f23e19 SHA-256: 1b282ef9a946ee2d91ecff6da16f81b3dd0285a87ebbe25d6a549a78bd7dd868
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, a technique often used for SEO poisoning or to distribute further malicious content. The primary heuristic identified a 'PDF_SEO_LINK_FARM' pointing to 'sunfamily.xyz' and other domains, suggesting a coordinated effort to host numerous PDF files. The document body, though partially corrupted, contains a URL that matches one of the identified external links, reinforcing the link farm attack pattern. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://hkcfoundationforparkinsons.org/uploads/1/3/0/4/130436017/130436017.html#lista+de+verbos+en+presente+simple+y+presente+continuo
    • http://sunfamily.xyz/uploads/1/3/0/5/130538833/e235f.pdf
    • http://ingebjrgkrogstad.com/uploads/1/3/0/6/130621392/kurowumepekujaze.pdf
    • http://hostmaster.sallywoodcock.com/uploads/1/3/0/6/130621730/supipiko.pdf
    • http://msaimports.com/uploads/1/3/0/8/130815437/fed72c.pdf
    • http://cretanoliveoilfarm.gr/uploads/1/3/0/6/130639532/7818671.pdf
    • http://coatesvilleonthemove.org/uploads/1/3/0/8/130874437/tezatokukim.pdf
    • http://sadityradio.com/uploads/1/3/0/8/130814715/tetoz.pdf
    • http://www.lifewedesigned.com/uploads/1/3/0/4/130483413/5f3883a52.pdf
    • http://pszichokardiologia.hu/uploads/1/3/0/2/130274322/7627171.pdf
    • http://richmondpromise.com/uploads/1/3/0/2/130271103/7976503.pdf
    • http://mta-sts.mx.clintonpottery.com/uploads/1/3/0/4/130435685/3565209.pdf
    • http://brandonotes.net/uploads/1/3/0/9/130969308/6083932.pdf
    • http://visionlampasas.com/uploads/1/3/0/2/130288720/36cb0ec5.pdf
    • http://reutrivka.com/uploads/1/3/0/6/130639444/xomezivifak_mirotefow_dopak.pdf
    • http://littlemiraclescleaning.com/uploads/1/3/0/4/130436162/4137868.pdf
    • http://ptmwc.org/uploads/1/3/0/6/130620952/jasanepoluwo.pdf
    • http://jp.yummypersianbite.com/uploads/1/3/0/7/130740011/92c9a6e.pdf
    • http://murphyscafe.net/uploads/1/3/0/7/130738620/rumavejifamiza.pdf
    • http://barbaraannkipferart.com/uploads/1/3/0/6/130640110/juzevepulamow_zomezivati.pdf
    • http://ibriz.org/uploads/1/3/0/6/130639533/bcf9f3c3b00c49e.pdf
    • http://one27photography.com/uploads/1/3/0/5/130545636/739037.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00011e4d.bin
f03f96dfc4e4dc8594785674449b4d1879ddacb095a4d7dc9de8cb84a003ce6e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x11E4D 9644 bytes
font_01_sfnt_off00013fee.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x13FEE 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.