Malicious PDF — malware analysis report

Static analysis result for SHA-256 2bcd43fdea8875b1…

MALICIOUS

PDF

38.4 KB Created: 2020-06-08 19:07:27 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 6f8d1236f9ed7fdd6cac14884eaf0bbe SHA-1: b36a5c8280b6690118091caae959862caea3d6f3 SHA-256: 2bcd43fdea8875b1791127e64c03ceeecf283931dcf6ac60afb91af63f8650ec
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, a technique often used for SEO poisoning or to redirect users to malicious content. The heuristic 'PDF_SEO_LINK_FARM' specifically flags this behavior, indicating a likely attempt to manipulate search engine results or distribute malware through a network of linked documents. No scripts were extracted from this sample, limiting the analysis of direct execution capabilities.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://mta-sts.joesavd.com/uploads/1/3/0/3/130323738/130323738.html#tasar%25C4%25B1m+ilkeleri+denge
    • http://michaeltigue.com/uploads/1/3/0/7/130739769/tuxinoko-mezutafagej.pdf
    • http://8feathers.co/uploads/1/3/1/0/131070710/583050a9fbbc.pdf
    • http://blackhawk-down.com/uploads/1/3/0/3/130323249/1821344.pdf
    • http://fincadeya.com/uploads/1/3/1/4/131437867/0717339483d0.pdf
    • http://shopwinehk.com/uploads/1/3/0/6/130639949/rapexonidonikijuxo.pdf
    • http://simplyamazingcreations.com/uploads/1/3/0/6/130604205/2250605.pdf
    • http://philliplarsen.org/uploads/1/3/0/7/130775047/zopidazopitoretax.pdf
    • http://fellowshipstar.org/uploads/1/3/1/4/131407143/1106255.pdf
    • http://ipanama.cz/uploads/1/3/0/7/130738814/5642525.pdf
    • https://migeragez.files.wordp
    • https://rapediru168496829.files.wordpress.com/2020/06/pozademide.pdf
    • https://gomepimus.files.wordpress.com/2020/06/72691760290.pdf
    • https://rizefoxug.files.wordpress.com/2020/06/72438621877.pdf
    • https://zivadoduv.files.wordpress.com/2020/06/worudu.pdf
    • https://bojusinowawa.files.wordpress.com/2020/06/5304573911.pdf
    • https://nupukoxugezo.files.wordpress.com/2020/06/31024944934.pdf
    • https://diderozama.files.wordpress.com/2020/06/mafutawuzibagufotipemevuw.pdf
    • https://migeragez.files.wordpress.com/2020/06/53366650724.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006776.bin
24be6b7f3f4ad28a288bf42795c92970942a5e12cdca55c27485126d8f44d76a		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6776 11664 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.