Malicious PDF — malware analysis report

Static analysis result for SHA-256 24da71daf7908c4f…

MALICIOUS

PDF

44.6 KB Created: 2020-04-11 04:41:12 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7e60c490fb680b3e89d5e13855665a63 SHA-1: 66261348565d112db2849ef345487df901991d9c SHA-256: 24da71daf7908c4f3249c807c914ffb5b76f06ecc2a6c6e99896fc8b8ceb177c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, as indicated by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a distribution mechanism for further malicious content. The embedded URLs are likely used to redirect users to potentially harmful sites or download additional payloads. No scripts were extracted from this sample, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://74-123-76-48.mgwnet.com/uploads/1/3/0/5/130540592/130540592.html#ashram+shala+sanhita+pdf+download
    • http://opstrup.eu/uploads/1/3/0/2/130272381/puwilufuxusugusate.pdf
    • http://bestservices.me/uploads/1/3/1/3/131379948/pezoxeti.pdf
    • http://trainingoptions.org/uploads/1/3/1/3/131397964/lafonufa_nabedowixu_basawakexaluxub_fopukowuxoka.pdf
    • http://stellarcaretrips.com/uploads/1/3/0/5/130588679/nevab.pdf
    • http://morjanaspain.com/uploads/1/3/0/7/130739935/xaxuw.pdf
    • http://lisboatranslations.com/uploads/1/3/1/3/131378776/4703457.pdf
    • http://lovemetea.com/uploads/1/3/0/7/130775507/niwol.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 4

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000051fe.bin
f70043899ed84d3b0b7bd821b606fe884267e9823824eb675ff596eb5a5ab8c6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x51FE 8112 bytes
font_01_sfnt_off0000707b.bin
41d5c9cb4d60b7530e3cfd93a78efd430fe179aa57a8296e74fb8a971da4b0ee		 pdf-font-stream PDF embedded font (sfnt) at offset 0x707B 2600 bytes
font_02_sfnt_off000079a6.bin
1723f1ced37cc89d69e30f3df6281c5e5fb8989544fd4587aa75b00c91af2fd0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x79A6 1388 bytes
font_03_sfnt_off0000810c.bin
d868f7e87a99a256188f6d54ded54b16b8c1b7c1567bcda8347ac828b547fa4b		 pdf-font-stream PDF embedded font (sfnt) at offset 0x810C 12720 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.