Malicious PDF — malware analysis report

Static analysis result for SHA-256 2872ed18b35fa1ce…

MALICIOUS

PDF

39.8 KB Created: 2020-03-27 07:06:25 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 6d96a0292b1e16bd36ab733694a918ec SHA-1: a4299aaf5b723d59d4f6a9c31217742dcfcd6915 SHA-256: 2872ed18b35fa1ce1f35bbe0e062d0e382d92f0352051462156070dedc5f63d2
62 Risk Score

Malware Insights

MITRE ATT&CK
T1598 Gather Victim Identity Information T1204 Malicious Link

This PDF document contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The embedded URLs point to various PDF files hosted on different domains, suggesting a link farm or a distribution mechanism for further malicious content. No scripts were extracted from this sample, limiting the ability to determine the exact payload or execution method.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://templestoweroofing.com/uploads/1/3/0/9/130969934/130969934.html#estado+de+utilidades+retenidas+wikipedia
    • http://strategyforall.com/uploads/1/3/0/7/130775624/wirekipa.pdf
    • http://autodiscover.platinumdancecompany.com/uploads/1/3/0/6/130622012/mevexolifeba.pdf
    • http://www.yogamirileti.com/uploads/1/3/0/7/130739373/4616752.pdf
    • http://smt-metalltechnik.com/uploads/1/3/0/5/130539223/lifedezazimem.pdf
    • http://mta-sts.iskamsos.info/uploads/1/3/0/5/130550758/3175273.pdf
    • http://handballforhope.com/uploads/1/3/0/6/130604940/1cd45bd90b018.pdf
    • http://fintoro.com/uploads/1/3/0/6/130620473/2171430.pdf
    • http://sublimators.net/uploads/1/3/0/3/130379315/2924146.pdf
    • http://seattleprenatalmassage.com/uploads/1/3/0/4/130476332/fekadukufokosiluximi.pdf
    • http://prorrs.com/uploads/1/3/0/8/130815192/fadisadimoware.pdf
    • http://miraclevalleyceylon.com/uploads/1/3/0/5/130540009/6840024.pdf
    • http://pdstudios.net/uploads/1/3/0/4/130483373/rivejoborikejavor.pdf
    • http://natesblog.org/uploads/1/3/0/4/130478004/zatopifujajuza.pdf
    • http://www.alpxpress.com/uploads/1/3/0/7/130775176/75ec925.pdf
    • http://afterhourshub.com/uploads/1/3/0/8/130814469/701663.pdf
    • http://reviewmywebpage.com/uploads/1/3/0/8/130814784/a62ca8b4.pdf
    • http://grandstafflaw.com/uploads/1/3/0/7/130776147/tokizasokonajowab.pdf
    • http://serenityskinexperts.com/uploads/1/3/0/6/130604363/52cb3e275191.pdf
    • http://kashmedia.biz/uploads/1/3/0/7/130740627/c7cc8a40a472dc.pdf
    • http://awakenedpaths2.com/uploads/1/3/0/5/130551653/81a24dea10.pdf
    • http://heritagedesignerhomes.net/uploads/1/3/0/7/130776183/vokejowukaze-kokanusagekebo.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007217.bin
5a4768e921f2702451354174043ed753591cb9f332db5bbfc89d198445fb6f63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7217 8076 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.