Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e3cb4beb71ea334…

MALICIOUS

PDF

138.2 KB Created: 2020-04-15 09:50:51 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 629cc3a6df895c6f356ad91584df00bb SHA-1: abfcf909866df5868bc323ac3f26bc70f60b183e SHA-256: 1e3cb4beb71ea334105a7a701dcfe4d9cb886864116b2fea25e54c0f9a2becdf
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, many of which point to other PDF files hosted on similar domains. The document body text, though heavily obfuscated, contains a URL that appears to be part of a lure. This suggests a link farm or SEO poisoning technique designed to drive traffic to malicious sites. No scripts were extracted, limiting the analysis of direct payload execution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://saintmatthewsfestival.com/uploads/1/3/1/4/131405956/131405956.html#acknowledgement+for+hotel+internship+report
    • http://kunstglad.no/uploads/1/3/0/6/130605173/beviguka_nuduvig_tulotugodazux.pdf
    • http://thefestivetree.in/uploads/1/3/1/4/131453793/makisalezaw.pdf
    • http://octelepsychiatry.com/uploads/1/3/0/7/130775346/mevafefobas.pdf
    • http://realitywhisperer.com/uploads/1/3/0/2/130289235/3233607.pdf
    • http://188prospectstreetu1.com/uploads/1/3/0/4/130489044/mogemu_fupabikaturiz_zasate_wawitim.pdf
    • http://scifichickmuses.com/uploads/1/3/0/4/130489499/kumipitosor-tefulevo-lijofepik.pdf
    • http://begoodtoyou.net/uploads/1/3/0/8/130814104/9098427.pdf
    • http://perlui.net/uploads/1/3/0/5/130551083/4473942.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0001ceb3.bin
c3e9059b7daa6789362dfdcb047b518cb9b63dd2e2de3da16aa40aa25d149c6a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1CEB3 2204 bytes
font_01_sfnt_off0001d82e.bin
1c0cd7ac7aeca18de93745095066c59409aac4659f8d8bfa9e02beee888cbd5e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1D82E 9752 bytes
font_02_sfnt_off0001fc9c.bin
ad9f5e20cc1563f79bc996ba358913dd59147f1542b3b72de44a911d64f58b2e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x1FC9C 2640 bytes
font_03_sfnt_off000205f8.bin
6ce32c7926c6f21db5640dc1790b79ec78d1dba01d796f7b775dba7caf5b1ad9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x205F8 16076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.