Malicious PDF — malware analysis report

Static analysis result for SHA-256 21fd8b0a7dec4dcd…

MALICIOUS

PDF

43.3 KB Created: 2020-04-03 07:46:22 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8b58eee5fb6aaa61a87028ffec64a439 SHA-1: 6c09ad0efc5df75ef85b9a52f386d508759b2401 SHA-256: 21fd8b0a7dec4dcdde4fb00eacf58ca2deec7b8ae49110ada23e58bcd4c49216
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a distribution mechanism for further malicious content. The document body contains garbled text and references to 'Siglas de diccionario dela real academia espa ola', which appears to be a lure to disguise the malicious nature of the PDF. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://withlovehairco.com/uploads/1/3/1/3/131383908/131383908.html#siglas+de+diccionario+dela+real+academia+espa%C3%B1ola
    • http://293149343277459497.com/uploads/1/3/0/2/130272283/5343852.pdf
    • http://sustainshelby.com/uploads/1/3/0/6/130603842/bukowafobisax_kudonojeribaxiz_fakujujofozu.pdf
    • http://championcivil.com/uploads/1/3/1/4/131438003/lelaju_tuzuzapazo.pdf
    • http://trendhomestaging.net/uploads/1/3/0/7/130740175/bazatavojejizamalasi.pdf
    • http://mansester.com/uploads/1/3/0/2/130271126/xumog-sobaxuvaxomus.pdf
    • http://anewirrigation.com/uploads/1/3/0/3/130379167/6562629.pdf
    • http://moronislandsoap.com/uploads/1/3/0/5/130589048/8b61ad4e9b07.pdf
    • http://metlifelostpensions.com/uploads/1/3/0/7/130775389/vifijak-turaxorele-motivivelij.pdf
    • http://mavieenrose.shop/uploads/1/3/0/8/130813132/b200b46cdf3d18.pdf
    • http://des-sens.com/uploads/1/3/0/5/130546243/vedemebupomefag_tokuxisofoxezop.pdf
    • http://stlhospitality.com/uploads/1/3/0/9/130969399/niwuva.pdf
    • http://touristhappiness.com/uploads/1/3/0/8/130874204/7922835b17deff7.pdf
    • http://rebeccacranstonforcolorado.com/uploads/1/3/0/9/130969297/tevovesakowi.pdf
    • http://offworldco.com/uploads/1/3/0/6/130604537/10a67b71ed12a.pdf
    • http://clohessyconstruction.com/uploads/1/3/0/6/130620789/2031841.pdf
    • http://aminomassage.com/uploads/1/3/0/6/130605438/soxebitofelok-gizovufomeniw-lusav-votope.pdf
    • http://dk-jackson.com/uploads/1/3/0/6/130604759/d0bc4.pdf
    • http://simplyperfectnutrition.com/uploads/1/3/1/0/131069824/bidanak_jeguridari.pdf
    • http://beadmesilly.com/uploads/1/3/1/3/131384667/2818752.pdf
    • http://carepackageessentials.ca/uploads/1/3/0/9/130969026/3834691.pdf

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00008285.bin
9bf5c5b42ef47aa896b68fe6a39c677cca51bb214e18de40730b0e548f7bf67b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8285 9664 bytes
font_01_sfnt_off0000a58b.bin
e2f1373bf3d70a40ff4276a486f0a1d2d32154e4f45ad1243a44c3d3b7d91cea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xA58B 2652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.