Malicious PDF — malware analysis report

Static analysis result for SHA-256 25e056c3f9811d97…

MALICIOUS

PDF

39.1 KB Created: 2020-03-29 21:29:17 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 545b9554a3b003e5323f1cf1ee92afd2 SHA-1: c5fec65da95c1b153800099752a9dcf3c06ea944 SHA-256: 25e056c3f9811d971330fbf82ecf328a29cd555d17f67877450beccd1d70830d
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a lure related to a 'Citrix wfica32.exe error' to trick users into interacting with the content. It hosts a large farm of 30 external PDF links, predominantly using SEO-like numeric slugs, suggesting a link-farming or redirection scheme. The primary goal appears to be driving traffic to these numerous external PDF files, likely for further malicious activity or to inflate ad revenue.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://nashobavalleyextractco.com/uploads/1/3/0/8/130813999/130813999.html#citrix+wfica32.exe+error
    • http://scoooper.eu/uploads/1/3/0/6/130621413/b921c.pdf
    • http://hervibecollection.com/uploads/1/3/0/6/130620265/pojumopotiguwe_bipizuloze_pifotuvekulo_temovexokuzez.pdf
    • http://browardmediates.com/uploads/1/3/0/6/130603828/e40216.pdf
    • http://lustrepeach.com/uploads/1/3/1/3/131380109/1608201.pdf
    • http://janaeballimages.com/uploads/1/3/0/7/130739495/nokevuxulali.pdf
    • http://thekillerwhale.org/uploads/1/3/0/5/130539517/ruvoziwuf.pdf
    • http://luxurybasketsandmore.com/uploads/1/3/0/5/130588784/wavikav.pdf
    • http://ohsua.com/uploads/1/3/0/2/130289242/zipedurinini-laxoti-mogakoxuwopaz.pdf
    • http://cayscards.com/uploads/1/3/0/6/130639306/f42e75.pdf
    • http://patronbarber.com/uploads/1/3/0/7/130739532/8641785.pdf
    • http://platteparkchurch.org/uploads/1/3/0/2/130288579/105d62b24.pdf
    • http://krtoilburner.com/uploads/1/3/1/4/131408954/xafuxe.pdf
    • http://heathersharpessmith.com/uploads/1/3/0/6/130639777/kifibozomefutos.pdf
    • http://soulrunner.art/uploads/1/3/0/5/130588620/3222574.pdf
    • http://crankcash.com/uploads/1/3/0/5/130589339/7017014.pdf
    • http://imedxusa.com/uploads/1/3/0/6/130621429/jatuwanefifefugogum.pdf
    • http://elitedanceforce1.com/uploads/1/3/0/8/130814063/bdf6a82276c393.pdf
    • http://aerialarts-classes.com/uploads/1/3/0/2/130271209/sawedimupobopar_posadobasixu_towanopewivamo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006eb2.bin
22eaea250c48c329d5d31e199aaf776c3708c34699afc70f380b39a58463b6f0		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6EB2 8340 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.