Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bbca0eb62ecb765…

MALICIOUS

PDF

39.8 KB Created: 2020-04-08 15:32:29 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7e6131445607dd7372a685c8ddb78db1 SHA-1: d15e6cfdc8a1743012ab1f2d254437e5e105edca SHA-256: 2bbca0eb62ecb76536e91a0fe20078781b8fb46bfb851047c78daa718305a834
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded external links to other PDF files hosted across numerous domains. This technique, identified as a 'PDF_SEO_LINK_FARM', suggests an attempt to manipulate search engine results or distribute potentially malicious content through a link farm. The document body itself is largely unreadable, but the presence of the URL 'http://leapfrogcamo.ca/uploads/1/3/1/4/131437780/131437780.html#importancia+economica+de+los+insectos+pdf' indicates a potential lure related to the economic importance of insects.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://leapfrogcamo.ca/uploads/1/3/1/4/131437780/131437780.html#importancia+economica+de+los+insectos+pdf
    • http://rodrigoroher.net/uploads/1/3/0/6/130640021/damaw_migixeveta_betapi_tixawewufuvib.pdf
    • http://buffalonia.org/uploads/1/3/0/6/130620902/b0916b32fd81.pdf
    • http://mountephraimtaxpayersfirst.com/uploads/1/3/0/9/130969057/8821585.pdf
    • http://warfareinhistory.com/uploads/1/3/1/4/131453027/gasune.pdf
    • http://teamtoughcookies.com/uploads/1/3/0/2/130287462/wizopog-febegepirejuj.pdf
    • http://s900drive.com/uploads/1/3/0/6/130605065/kabasanafimijam_kajat_nerewuka_sodegimapezi.pdf
    • http://lanebeckstrom.com/uploads/1/3/0/8/130814576/5125111.pdf
    • http://nobleelectrics.com/uploads/1/3/1/4/131453924/nugurazir_xitenane_fapedizolakuguw.pdf
    • http://komodoecobase.org/uploads/1/3/1/3/131380109/suxejefadivinig.pdf
    • http://seaspelldestin.com/uploads/1/3/0/8/130873855/tafosujod.pdf
    • http://intuitiveinvest.com/uploads/1/3/0/8/130814058/bokeduda-kepegozuruxire.pdf
    • http://premiervacationstravel.com/uploads/1/3/0/6/130620605/2355043.pdf
    • http://sjgcollection.com/uploads/1/3/0/5/130551517/mubuzevinatonefexilo.pdf
    • http://expresslaundrydelivery.com/uploads/1/3/0/5/130588548/wetaziwaw-saforajazonafet-pajulofowejid.pdf
    • http://poolcleaninglb.com/uploads/1/3/0/7/130738956/c6903.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000706f.bin
767ab2f1d4a46220784f4310f1c9cbfbbcc0b48ac625653ca2a96b08ee6aeaa8		 pdf-font-stream PDF embedded font (sfnt) at offset 0x706F 8836 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.