Malicious PDF — malware analysis report

Static analysis result for SHA-256 27d0bbd9644a6080…

MALICIOUS

PDF

43.1 KB Created: 2020-04-02 01:14:24 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 3b1876722d89c402674053f29e1e1f28 SHA-1: 9a1a4889684802d327676e1816917365c3716408 SHA-256: 27d0bbd9644a60808841d6479a81e98647cebdac7c46f000b50b1376bfe12a46
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or redirection scheme. The document body contains garbled text and some of the extracted URLs, indicating a potential lure or attempt to manipulate search engine results. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://onkoyoga.com/uploads/1/3/0/7/130775347/130775347.html#que+es+espejo+convexo+wikipedia
    • http://thetuscanvillages.com/uploads/1/3/0/4/130435556/12fb627.pdf
    • http://jimcarterlpc.com/uploads/1/3/0/6/130604304/2590004.pdf
    • http://rcbcfund.com/uploads/1/3/0/8/130873807/8738645.pdf
    • http://bbt.network/uploads/1/3/1/0/131069898/2673794.pdf
    • http://bellevueboysswive.com/uploads/1/3/0/7/130776590/bafigat_vibipezitatefo.pdf
    • http://kapaaquarryrecycling.net/uploads/1/3/1/3/131380482/zesuniluwawedonaro.pdf
    • http://cambridgeblackcar.com/uploads/1/3/0/2/130289371/4350340.pdf
    • http://wellbeingmatters.biz/uploads/1/3/0/2/130289523/e278a437c487.pdf
    • http://dohagardenclub.net/uploads/1/3/0/6/130604757/848441.pdf
    • http://moonandmountaindesigns.com/uploads/1/3/1/0/131070452/2022366.pdf
    • http://256customs.com/uploads/1/3/0/5/130540795/ximazune.pdf
    • http://ohmygoodnessfarms.com/uploads/1/3/1/0/131070197/596366.pdf
    • http://jostarot.com/uploads/1/3/0/5/130551375/9d0b359d.pdf
    • http://my-simply-natural.com/uploads/1/3/0/7/130775052/043bf47f83ab8.pdf
    • http://forty2sixtyeighthockey.com/uploads/1/3/0/5/130590738/wojutikebatinop-tozotejepuna-vemolo-tutadaxisures.pdf
    • http://angebel.com/uploads/1/3/0/6/130639115/gonogugir.pdf
    • http://stylemechicblog.com/uploads/1/3/0/5/130589415/1811107.pdf
    • http://derekzhang.net/uploads/1/3/0/5/130550992/lefevuterexemonoda.pdf
    • http://artofchristinenguyen.com/uploads/1/3/0/4/130483956/woxetuw.pdf
    • http://proactiveparalegal.com/uploads/1/3/0/5/130588894/tizobufiwiw.pdf
    • http://antifashionista.com/uploads/1/3/0/9/130969458/tabajetasediginimis.pdf
    • http://hoglcs.com/uploads/1/3/0/4/130489052/8aa4b1d50.pdf
    • http://buenoscience.com/uploads/1/3/0/6/130621393/segifidof.pdf
    • http://pleasuretron.com/uploads/1/3/0/5/130590180/tirizama.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007e1a.bin
1b737be5917ab04d05ede072261860d5b1a89c1c694c134ece9f02bafeb58a44		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7E1A 8296 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.