Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d0d72c00960d279…

MALICIOUS

PDF

42.2 KB Created: 2020-03-23 10:32:46 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8847e77078058aece0aad83a313ea033 SHA-1: fc218962b208e5839200cb32bb44963a553d477e SHA-256: 2d0d72c00960d2796945678df6e669d0fd4e6f12dcbd932fffb0bbdb4bc88d50
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF document contains a large number of embedded URLs pointing to external PDF files across various domains. This behavior is indicative of a link farm or SEO spam campaign, designed to drive traffic or potentially distribute further malicious payloads. No scripts were extracted, and the document body is heavily obfuscated, limiting deeper analysis of the immediate user-facing lure.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://serafinaappel.com/uploads/1/3/0/6/130620679/130620679.html#resumen+del+cuento+el+ogro+rojo
    • http://florendostudioarts.com/uploads/1/3/0/5/130588806/rajazaka.pdf
    • http://www.aoiiosu.com/uploads/1/3/0/8/130874212/gobuz-xiguvotaxol-lofonu.pdf
    • http://mta-sts.mail.dbs-agencia.com/uploads/1/3/0/9/130969054/791267fc.pdf
    • http://magna-core.net/uploads/1/3/0/7/130738771/fukurogobos-rofaxipiwados-nogadojob.pdf
    • http://www.mt-tasot.com/uploads/1/3/0/5/130546209/7b32c05af6b9.pdf
    • http://originalwoodfloorma.com/uploads/1/3/0/5/130588575/xarekewaw_mitika_magetijubafef.pdf
    • http://incrediblehomedeal.com/uploads/1/3/0/4/130489185/1537742.pdf
    • http://www.drlucyholmes.com/uploads/1/3/0/9/130969492/1762863.pdf
    • http://hostmaster.sraigesnamai.lt/uploads/1/3/0/6/130603917/83e428a2a6.pdf
    • http://balaiodegarfos.com/uploads/1/3/0/2/130287808/nuwedum_jagazilewanu_tututokusiditer_xijagelu.pdf
    • http://karengriffithsconnect.com/uploads/1/3/0/8/130873927/zevagizezijunawijozi.pdf
    • http://albertarescue.com/uploads/1/3/0/6/130604892/5995992.pdf
    • http://kitchenermassage.com/uploads/1/3/0/4/130491001/kixubid_moden.pdf
    • http://coachlizonline.com/uploads/1/3/0/6/130621219/komonirutelejo.pdf
    • http://vi-j.nl/uploads/1/3/0/6/130621421/1706692.pdf
    • http://polarsleep.com/uploads/1/3/0/5/130588607/16c721b923f6ee.pdf
    • http://saintsjamesandandrew.com/uploads/1/3/0/8/130874146/tivabuxowizupa_xufugitebepulo.pdf
    • http://emergingleadersevents.com/uploads/1/3/0/5/130590008/1cf3645eccf.pdf
    • http://mndball.com/uploads/1/3/0/3/130323588/458c7c.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007a6c.bin
29e349357573266e7bcf44f80987b701320b8e4fbc46af919d51023a5b2af16d		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7A6C 8652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.