Malicious PDF — malware analysis report

Static analysis result for SHA-256 1b5ed5d759c1d8cd…

MALICIOUS

PDF

68.9 KB Created: 2020-06-03 20:11:21 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: fe53d945269122419a24ab7f98186547 SHA-1: b4cea47394e5f0fd1abb2b6a7c4c879d2d59bf21 SHA-256: 1b5ed5d759c1d8cda74a2ad616ab7d4b787c79732b69ba4b2206d3dfbf471998
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous embedded URLs pointing to external websites, a technique often used for SEO spam or to redirect users to malicious content. The 'PDF_SEO_LINK_FARM' heuristic firing indicates a large number of external links, suggesting a link farm or spamming operation. The document body contains text fragments that appear to be part of the lure, such as 'Watch happy sugar life'. No scripts were extracted, limiting the analysis of direct malicious actions.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://intothe4thdimension.com/uploads/1/3/1/6/131608017/131608017.html#watch+happy+sugar+life
    • http://aryadnamusic.net/uploads/1/3/0/8/130874134/6ae53ba3.pdf
    • http://rakkan4x4.com/uploads/1/3/0/4/130488780/3fb82.pdf
    • http://bigcitymanagementllc.com/uploads/1/3/0/7/130739336/e7afa81.pdf
    • http://edgecreativity.com/uploads/1/3/0/5/130544034/6733304.pdf
    • http://daniellepearl.com/uploads/1/3/1/4/131453436/8392560.pdf
    • http://minimumtread.com/uploads/1/3/0/4/130483499/3002042.pdf
    • http://intothe4thdimension.com/uploads/1/3/1/6/131608017/terms.html
    • http://intothe4thdimension.com/uploads/1/3/1/6/131608017/dmca.html
    • http://intothe4thdimension.com/uploads/1/3/1/6/131608017/policy.html
    • https://zimorujiwek.files.wordpress.com/2020/06/27490726874.pdf
    • https://dukidowa.files.wordpress.com/2020/05/vejodupopexomatag.pdf
    • https://tobumediru.files.wordpress.com/2020/06/9077185460.pdf
    • https://juzomore.files.wordpress.com/2020/06/latosekuzepidobokameduzi.pdf
    • https://zopowozofoje.files.wordpress.com/2020/06/sazalowop.pdf
    • https://livobaxuw793041599.files.wordpress.com/2020/06/51912438111.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000097bc.bin
cb078f160cf5015ab5cbc29978e43b147f951674f91e07694905646b47ed9c3d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x97BC 16108 bytes
font_01_sfnt_off0000cc1f.bin
907fba7f184aab86fbbda9f98e77810d6fb79b0002024f75c883dfb753bdc5e6		 pdf-font-stream PDF embedded font (sfnt) at offset 0xCC1F 10808 bytes
font_02_sfnt_off0000f067.bin
c988415812f594187b0a0ed75dc52802e798e1695b49bd300f8412a65040a449		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF067 16204 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.