Malicious PDF — malware analysis report

Static analysis result for SHA-256 22dc65e2e5d216ab…

MALICIOUS

PDF

44.4 KB Created: 2020-03-15 02:38:00 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6db1b8fbcb3979261f0bebba8c9f0754 SHA-1: 6fbbae07d569d744057bae0ec86044b3bed32ef9 SHA-256: 22dc65e2e5d216ab6b81da3769177c98a631362d6a7dd8348f23efa4013421cf
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF file was identified as malicious due to the presence of a large number of external links, a technique often used in SEO poisoning or phishing campaigns. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating the document is designed to host numerous links pointing to other PDF files on various domains. The embedded URLs suggest a coordinated effort to distribute malicious content or redirect users to phishing sites.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://k0i49.salon225.com/uploads/1/3/0/4/130488700/130488700.html#data+analysis+section+in+research+report
    • http://baldwinfootball.net/uploads/1/3/1/0/131070166/ridogomuwa.pdf
    • http://trustworthypaintersvictoria.ca/uploads/1/3/0/5/130590163/mujavenonukarefukib.pdf
    • http://thecollecktive.com/uploads/1/3/0/3/130313177/pikasabi.pdf
    • http://dovyafriedman.com/uploads/1/3/0/8/130815228/vewobebu.pdf
    • http://partnertotalrewards.com/uploads/1/3/0/4/130483629/gofesikixugo-semifibasuwutix-misaragemebo.pdf
    • http://www.ambroseentertainment.com/uploads/1/3/1/0/131070258/najafamirawi.pdf
    • http://neverwhisper.com/uploads/1/3/0/6/130620436/6009718.pdf
    • http://beautybyellav.com/uploads/1/3/0/3/130379803/4b521debb9176.pdf
    • http://reannhuber.com/uploads/1/3/0/6/130620704/9978959.pdf
    • http://www.bellanyjackson.com/uploads/1/3/0/7/130739101/2777541.pdf
    • http://dougdrill.com/uploads/1/3/0/9/130969402/7632665.pdf
    • http://www.hypotheekrekentool.nl/uploads/1/3/0/6/130620314/8046925.pdf
    • http://loribeliharboyd.com/uploads/1/3/0/7/130775775/mawinulalibi-judoroxolireli-wusolebo-bisosa.pdf
    • http://coybutstormy.com/uploads/1/3/0/3/130323290/39ae648e1f5f4.pdf
    • http://realtimeireland.com/uploads/1/3/0/6/130604799/vegoxolibu-mogenateje-barenovak-dozuzaz.pdf
    • http://popsoupmag.com/uploads/1/3/0/7/130776760/1449512.pdf
    • http://www.nathanielespinoza.me/uploads/1/3/0/6/130639203/868592.pdf
    • http://zeustreeservice.net/uploads/1/3/0/6/130604222/2afe20.pdf
    • http://aransasapparel.com/uploads/1/3/0/6/130603855/xexeletabu.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007ab1.bin
3ba96a25d5cc193390f7cb02fcb8f2ba76e9d4764bde3c52ece4e3e5cf3adf48		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7AB1 8228 bytes
font_01_sfnt_off00009a8c.bin
915baeb1e29b1296448dc25187851e9706b77add1d29a836586dd6d4826066cd		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9A8C 2600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.