Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bb488331e9e2f53…

MALICIOUS

PDF

28.5 KB Created: 2020-04-27 23:41:58 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 82650189b1055686832a8d291eab1f74 SHA-1: 3425501137c43acbf035d08d6ea621a10a944aca SHA-256: 2bb488331e9e2f53fa7fa7108bc30375e3094a8be4b488102ae95b7d2be7721b
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links to other PDF files hosted on various domains. This behavior is indicative of a link farm or a method to distribute malicious content indirectly. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this pattern, suggesting the document is part of a larger SEO-based scheme. The embedded URLs are the primary indicators of compromise, pointing to potentially malicious destinations.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mrlawnman.com/uploads/1/3/0/7/130739049/130739049.html#announcement+icon+free+vector
    • http://beakidandhavefun.com/uploads/1/3/0/5/130588214/viluguwar.pdf
    • http://link-vm.com/uploads/1/3/1/6/131606123/gemudov.pdf
    • http://culturally-responsive-communication.com/uploads/1/3/0/9/130969476/afe2ba5.pdf
    • http://everydayhalalliving.com/uploads/1/3/0/5/130544625/wegokizidisibotig.pdf
    • http://coloradospringsbasements.com/uploads/1/3/0/6/130639630/a80847ea8d7.pdf
    • http://optionpoint.net/uploads/1/3/0/4/130476538/nalidirot.pdf
    • http://killinginternationaladoption.org/uploads/1/3/0/5/130590217/8648194.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00004af0.bin
b76891a08bb9b2959ba73d112f2dff5b63c0205b83c8badced274ff00419020c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x4AF0 6924 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.