Malicious PDF — malware analysis report

Static analysis result for SHA-256 22181f0ff233c55d…

MALICIOUS

PDF

46.1 KB Created: 2020-05-14 08:49:42 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 4d5581c6e00830ab7044c7062ef00180 SHA-1: 65f9de4e1c8e7e1ac549d205c65dc960f188763b SHA-256: 22181f0ff233c55dd3c297529ac0a44fb12e77827bb7dd698434c5c8d4341a23
62 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO spam operation. The document body contains garbled text and references to 'Pip collage maker editor apk', which may be a lure. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://testingoutasitebuilder.net/uploads/1/3/0/3/130313237/130313237.html#pip+collage+maker+editor+apk
    • http://agsheating.net/uploads/1/3/1/4/131437850/kazukidimeruza.pdf
    • http://gaddyhanit.net/uploads/1/3/0/4/130488698/8450503.pdf
    • http://scottwbrooks.com/uploads/1/3/1/4/131438128/xawolinexenaxudetog.pdf
    • http://ciadelamancha.com/uploads/1/3/0/5/130588533/9f2829d6e5.pdf
    • http://kinginthemountain.com/uploads/1/3/0/6/130605048/723068.pdf
    • http://foothills4x4.com/uploads/1/3/0/3/130323723/kujiferoba-rebamoj-duwurekomiwa.pdf
    • http://carzonerepairandbody.com/uploads/1/3/0/7/130740249/be4ff7da84d3.pdf
    • http://opheliastudio.store/uploads/1/3/0/5/130543121/ac567ce.pdf
    • http://adityanpatil.com/uploads/1/3/0/7/130775263/e0ada92.pdf
    • http://squaretaper.info/uploads/1/3/0/5/130552034/7486022.pdf
    • http://romchi.life/uploads/1/3/0/5/130551714/dofesoka.pdf
    • http://hki-2018.com/uploads/1/3/0/8/130874647/9533202.pdf
    • http://oasismethod.com/uploads/1/3/0/3/130323894/wiribap_mofam_noniresovaber_nomorurir.pdf
    • http://candgpearlsandmore.com/uploads/1/3/0/2/130272270/8287755.pdf
    • http://sahbazaar.com/uploads/1/3/1/4/131407494/vuwisuleragovelebuz.pdf
    • http://studiopapillons.com/uploads/1/3/0/5/130551386/e16eb7ade8c32.pdf
    • http://oasismethod.com/uploads/1/3/0/3/130323894/wiribap_mofam_noniresov
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000062af.bin
ac5cdad4555e79aa9bee77544b77f87784d66fc084c693ae09d311c70852332a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x62AF 3092 bytes
font_01_sfnt_off00006da5.bin
b3a8c4e2e58f3e6381c03c8fe6949469c68bf17fed510ed72b495ce8a856e0e1		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6DA5 11500 bytes
font_02_sfnt_off00009479.bin
037050881b0047fe163075b6a03562c7055e0ea196b35ade237951a74228885c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9479 16408 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.