Malicious PDF — malware analysis report

Static analysis result for SHA-256 223378b86713b4ad…

MALICIOUS

PDF

46.4 KB Created: 2020-03-17 21:01:23 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 942b9c80efec3cb09de0327e918ed397 SHA-1: 17defb4218f92ce550048a293f2cdba192d8b463 SHA-256: 223378b86713b4ad2147b8c713b1872078c53037775ed70a520d6baaf61a27c3
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, many pointing to other PDF files on various domains. This is indicative of a link farm, likely used for SEO manipulation or to distribute further malicious content. The document body itself contains garbled text and some of the extracted URLs, reinforcing the link farm observation. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://colorado-es.com/uploads/1/3/0/6/130620633/130620633.html#algoritmo+de+fleury+para+circuitos+eulerianos
    • http://www.jagkaurshop.com/uploads/1/3/0/5/130544889/2374601.pdf
    • http://samuelprovencher.net/uploads/1/3/0/6/130621847/pogixa.pdf
    • http://www.tambuaeventsbookingagency.com/uploads/1/3/0/5/130540193/8020624.pdf
    • http://runxyz.xyz/uploads/1/3/0/6/130621140/wotegazule_donufinuzoneji.pdf
    • http://mta-sts.mx.abelramirez.com/uploads/1/3/0/2/130272083/notepep-dukiwazozuvo-naropiwuf-gopejofarolifu.pdf
    • http://veevabangadanceclass.com/uploads/1/3/0/6/130640066/kemerumixikeve-gafiloja-sifedakuvusax.pdf
    • http://mormorsgucci.com/uploads/1/3/0/3/130323277/judapolarowiforedog.pdf
    • http://nuovoabitare2-0.com/uploads/1/3/0/6/130639379/6425446.pdf
    • http://newnoiseguitars.net/uploads/1/3/0/7/130740158/dubaze_tekadek_gulidado.pdf
    • http://niamhmoore.net/uploads/1/3/0/7/130775927/aa4f4a887508280.pdf
    • http://www.synmoneshotsphoto.com/uploads/1/3/0/8/130874262/jufij-wizusakabozat-zasutib.pdf
    • http://www.tommyriggs.com/uploads/1/3/0/3/130323329/4617043.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000066cd.bin
b7bf9c917f39807a1e1620b01e1269d76a90d99887b5f449e2fad544fb53fdac		 pdf-font-stream PDF embedded font (sfnt) at offset 0x66CD 9604 bytes
font_01_sfnt_off00008993.bin
3064e7e5141c33e87cbf2e8383e01b93ba38cdfd91734008eaff4a270e81eba9		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8993 2700 bytes
font_02_sfnt_off00009317.bin
80b7d2dfdb4fd17cadc9c0adb286d7f4f497d3c38955e0b67c7ccb616f9fb4cb		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9317 16508 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.