Malicious PDF — malware analysis report

Static analysis result for SHA-256 21cd67aefaeead57…

MALICIOUS

PDF

38.9 KB Created: 2020-06-11 23:03:00 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 8b4144161a7239f928e9abc504ad09ca SHA-1: bca40907c627ef33fe9488ad3ab6853d0d3e2222 SHA-256: 21cd67aefaeead573b76539078468a3d7c752cd635d39b51b60073169a0477b2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1059.001 PowerShell

The PDF document contains numerous external links, many of which point to suspicious domains and appear to be part of a link farm designed to inflate SEO rankings. The document body, though heavily obfuscated, contains a URL that is also present in the heuristics. This suggests the document's primary purpose is to redirect users to potentially malicious websites, possibly for phishing or malware distribution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://inlandcbd.com/uploads/1/3/0/5/130588846/130588846.html#exercise+for+breast+enlargement
    • http://southerngoatbreedersasscociation.org/uploads/1/3/0/6/130640062/wekifoxonomosaverifo.pdf
    • http://sberprize.space/uploads/1/3/0/7/130740477/8536830.pdf
    • http://webdisk.breckrothage.com/uploads/1/3/0/7/130740069/5337545.pdf
    • http://thankgodeveryday.org/uploads/1/3/0/7/130739332/sarutiteje.pdf
    • http://mta-sts.mail.silvercloudexpress.com/uploads/1/3/0/5/130588679/8206339.pdf
    • http://glorythief.net/uploads/1/3/0/6/130639682/kovepopuzufiv_gepar_ninikixage_widuniraw.pdf
    • http://thewellnesswarriors.net/uploads/1/3/0/3/130312914/fadowarevowake.pdf
    • http://rachelsbakehouse.com/uploads/1/3/0/4/130483273/fikorisini_lizunuwef_xebiwinuz.pdf
    • https://modunopowo.files.wordpress.com/2020/06/51902766519.pdf
    • https://xogetezotaba.files.wordpress.com/2020/06/61380065446.pdf
    • https://jumuxek227837891.files.wordpress.com/2020/06/2934932544.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006d6b.bin
9f117618b1ec19ea1bc864b32f380a92740ceba18f10f2da0f2397fc2d9aa0ba		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6D6B 10148 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.