Malicious PDF — malware analysis report

Static analysis result for SHA-256 24189908ab6fcb88…

MALICIOUS

PDF

38.3 KB Created: 2020-03-30 04:45:20 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 68512d1fd261702701425076b560f540 SHA-1: c0524c97373edb72a274ea4e1cc5b460b9292079 SHA-256: 24189908ab6fcb889809d26ff197bce24cf37f0b80dfe07224be71a5e403c15a
82 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of external links, many pointing to other PDFs, indicating a link farm for SEO poisoning or phishing. The document body also contains a specific URL related to a product search, suggesting a lure. The presence of numerous external PDF links strongly suggests a malicious intent to redirect users to potentially harmful content.

Heuristics 4

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • Callback phishing phone lure medium SE_CALLBACK_LURE
    Document asks the user to call a phone number in billing, refund, subscription, fraud, or security context — consistent with callback phishing or tech-support scam patterns
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-77-82.mgwnet.com/uploads/1/3/0/3/130379363/130379363.html#eddie+bauer+baby+stroller+price
    • http://westoplexinspection.com/uploads/1/3/0/9/130969817/xejufiros-tisivojedimazi.pdf
    • http://yf-pcb.com/uploads/1/3/0/5/130589218/6313349.pdf
    • http://jtnitsolutions.com/uploads/1/3/1/0/131070340/nosotirelojeser.pdf
    • http://botoxinlivingstonnj.com/uploads/1/3/0/7/130775969/dadogebadu-kutalofeji-zabobimav-nobumotu.pdf
    • http://redrockillumination.com/uploads/1/3/0/6/130620709/9773b.pdf
    • http://drmarcigalloway.com/uploads/1/3/0/7/130776478/700239dba0ae63.pdf
    • http://semesterterm.com/uploads/1/3/0/3/130324126/jukabefibivodivut.pdf
    • http://petesmith.nyc/uploads/1/3/0/4/130476499/vegega.pdf
    • http://alrefae.net/uploads/1/3/0/5/130589384/suvifewezukafixot.pdf
    • http://christian76.com/uploads/1/3/0/5/130539718/zurusijazubalow.pdf
    • http://musicoterapias.com/uploads/1/3/0/9/130969539/7673813.pdf
    • http://wbdlanehomes.ca/uploads/1/3/0/8/130813409/9d285a58dd2d.pdf
    • http://gattakst.com/uploads/1/3/0/4/130483351/mavabadeza.pdf
    • http://prettylost.com/uploads/1/3/0/5/130551630/nedakazi_gitip.pdf
    • http://kianliem.com/uploads/1/3/1/3/131380011/9842965.pdf
    • http://airbitrage.com/uploads/1/3/0/7/130775624/mesetanejejoxanudi.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00005977.bin
56133489273e94a709d0ca631b51f9816c95792d453386beaa1bc931f99d2025		 pdf-font-stream PDF embedded font (sfnt) at offset 0x5977 7072 bytes
font_01_sfnt_off00007573.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7573 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.