Malicious PDF — malware analysis report

Static analysis result for SHA-256 24eae9fa72474582…

MALICIOUS

PDF

45.7 KB Created: 2020-05-15 10:51:56 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 9416bde68248320969a19ea93f2a4c3b SHA-1: ceabe52bd0a1c439d50b487b81177ef6f5ca5d47 SHA-256: 24eae9fa724745822541810f69aa72c2177edec89d578e8e022820711071572c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a distribution mechanism for further malicious content. No scripts were extracted, and the document body is heavily obfuscated, making it difficult to determine a more specific attack pattern beyond link distribution.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://blackfilmcentre.org/uploads/1/3/0/6/130620431/130620431.html#vernier+caliper+pdf+gujarati
    • http://portfolioinvestmentpty.org/uploads/1/3/1/3/131379541/494207.pdf
    • http://stjohnsuccpalmerton.com/uploads/1/3/1/6/131606844/c88eca400.pdf
    • http://mobile-notary-of-california.com/uploads/1/3/0/5/130588806/sigorexubuzarodo.pdf
    • http://araaragot.com/uploads/1/3/0/2/130291555/8444952.pdf
    • http://woctravelsociety.com/uploads/1/3/0/7/130739938/9427775.pdf
    • http://borderlinesproject.com/uploads/1/3/0/5/130588989/lorutabupelore.pdf
    • http://something-creative.ca/uploads/1/3/1/0/131071076/zaguxalojab.pdf
    • http://vocoderstudio.com/uploads/1/3/1/0/131070226/3716146.pdf
    • http://julepnjoy.com/uploads/1/3/0/2/130272095/b972b00b0f1d0.pdf
    • http://davidrobertloblaw.com/uploads/1/3/0/5/130539412/dobovizimorat_xutukidu.pdf
    • http://bigheart.dk/uploads/1/3/0/7/130738819/2661242.pdf
    • http://tintanegrahtx.com/uploads/1/3/1/4/131438257/9327418.pdf
    • http://jordanlee.online/uploads/1/3/0/4/130477039/xupatidusinizezi.pdf
    • http://hotspringslimo.com/uploads/1/3/0/5/130546977/9372819.pdf
    • http://nhanceapp.com/uploads/1/3/0/6/130621278/1c8f1c556dbf4fb.pdf
    • http://korinneroggenbuck.com/uploads/1/3/0/9/130969673/6c9c808e.pdf
    • http://washingtonstateasa.com/uploads/1/3/0/6/130604241/859a4012.pdf
    • http://careercoaching.sydney/uploads/1/3/1/4/131452814/gepotig_xofarokidi_wopopabi_banajaku.pdf
    • http://jbuniquegifts.com/uploads/1/3/0/4/130435925/9f7d366a944.pdf
    • http://luvapy.org/uploads/1/3/0/6/130604820/xojejowavogi.pdf
    • http://garyfink.com/uploads/1/3/0/5/130588710/2919431.pdf
    • http://aphroditessecrets.com/uploads/1/3/0/2/130272278/meluv_xesaxosiwajomul_mibepidavuzam_timutusutojotok.pdf
    • http://terredevanille.com/uploads/1/3/1/8/131872138/joguludu_gomubujufa_nuwadikadezotel_vujidojof.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off000084fb.bin
f18f1f8efd6db36dd69889b87593e62329c1971a45a12c82e66741d499672808		 pdf-font-stream PDF embedded font (sfnt) at offset 0x84FB 11192 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.