Malicious PDF — malware analysis report

Static analysis result for SHA-256 2351258e1f23ab17…

MALICIOUS

PDF

40.5 KB Created: 2020-04-06 07:00:35 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7ed9bd5c8b3ca276292839d46743c6ad SHA-1: 367b416e7aec5b0e9df816509a8708636ea3b15a SHA-256: 2351258e1f23ab17481a4d65cbe73fd0a176e47908b295175eb76a1ec85cac0b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or SEO manipulation tactic. The document body, though partially corrupted, also contains URLs that are likely part of this scheme. The primary purpose appears to be distributing or linking to other malicious content rather than direct execution within this file.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ejuiice.com/uploads/1/3/0/3/130313784/130313784.html#sistema+de+fuerzas+concurrentes-+metodo+del+poligono
    • http://postbogan.com/uploads/1/3/0/6/130605498/guxavolasesovulero.pdf
    • http://progressiveastronomy.org/uploads/1/3/0/5/130550879/7279734.pdf
    • http://geeklyguide.com/uploads/1/3/0/2/130270799/6049816.pdf
    • http://martinbenatti.com/uploads/1/3/0/4/130488833/sudiwod.pdf
    • http://internationalautoservices.com/uploads/1/3/0/5/130545043/892681.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006895.bin
f411e8496dddef73970c57df6ade31d6321291826a7f7471f3fbe4c1f38db875		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6895 8916 bytes
font_01_sfnt_off00008929.bin
4d9ec2aec8f1ca6bebe1b56492fd55a77bba3a6e98efb76508c1b835d4eb9912		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8929 2860 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.