Malicious PDF — malware analysis report

Static analysis result for SHA-256 1e9f792b4e319d59…

MALICIOUS

PDF

39.3 KB Created: 2020-06-08 09:49:44 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 823230cf4c52fe4b4f1b3340d0c97469 SHA-1: 89f482eb40cfb7455786d2a1818fb61728f978f5 SHA-256: 1e9f792b4e319d598aad7b3a026c13f0f9f26b1f3915789d79ea7ac1c89ff5bb
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Phishing: Spearphishing Attachment T1204.002 Malicious File: Malicious PDF

The PDF document contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various PDF files hosted on different domains, suggesting a link farm or distribution mechanism. The primary URL identified is http://090jb.slpny.com/uploads/1/3/0/5/130589031/130589031.html#%25C5%259Fems+suresi+indir. The document body contains garbled text and some of the URLs, further supporting the link farm nature.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://090jb.slpny.com/uploads/1/3/0/5/130589031/130589031.html#%25C5%259Fems+suresi+indir
    • http://meg-dolan.com/uploads/1/3/0/2/130272579/d3ada0f274.pdf
    • http://anidea.company/uploads/1/3/0/5/130589249/josuwuf_didoza.pdf
    • http://scentsful.com/uploads/1/3/0/4/130488311/lukurojisu.pdf
    • http://reiwang.com/uploads/1/3/1/8/131857390/6382532.pdf
    • http://adsl-63-197-136-245.csmco.com/uploads/1/3/0/6/130620972/boborefinejovotenuza.pdf
    • http://hostmaster.peterkayfans.co.uk/uploads/1/3/1/6/131606624/357afbe81.pdf
    • http://hankshandcraftedsalsa.com/uploads/1/3/0/5/130588547/b6fdec7fa0.pdf
    • http://opitollc.com/uploads/1/3/0/5/130539738/7190935.pdf
    • http://webistic.com/uploads/1/3/0/3/130313145/tuzugotoge.pdf
    • https://pepemejone391185662.files.wordpress.com/2020/06/83816833796.pdf
    • https://getosixiwe.files.wordpress.com/2020/06/48535708641.pdf
    • https://tirokixut.files.wordpress.com/2020/06/76472948129.pdf
    • https://nagunekiweva.files.wordpress.com/2020/06/somazixudibuzazikexasuko.pdf
    • https://vejelarajen.files.wordpress.com/2020/06/zutok.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006184.bin
c77e75776588398c3cb4264560847978e48291383a4703aa1974b018176546c8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6184 1596 bytes
font_01_sfnt_off00006991.bin
258e28d1db5d09aa0c8733f927e793dc6ae043e4140fde78868fb0907281c873		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6991 12408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.