Malicious PDF — malware analysis report

Static analysis result for SHA-256 2d7122ced4d4df13…

MALICIOUS

PDF

70.6 KB Created: 2020-03-29 08:27:31 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 43445d931f2feb890447a09efe7f7fc1 SHA-1: e9012e65f0faa71e47c48f000998fa5f4d87e28b SHA-256: 2d7122ced4d4df13e675d214b60bd802041b897d186e497d97f92d379d919cb9
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.002 Spearphishing Attachment T1204.002 Malicious Link

The PDF document is designed as a lure, masquerading as information about free baby activities in Madrid. It contains a significant number of embedded external links, indicative of a link farm or redirection scheme. The primary heuristic firing highlights a 'PDF_SEO_LINK_FARM' which suggests the document's purpose is to host a large collection of links, likely leading to malicious content or further stages of an attack. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://corustest.devsite-1.com/uploads/1/3/0/9/130969993/130969993.html#actividades+gratuitas+bebes+madrid
    • http://detectiveholmes.com/uploads/1/3/0/7/130738902/wijozukefa-jutumugodib-vegavejo-vobitabuneze.pdf
    • http://3086fitness.com/uploads/1/3/0/2/130289317/d2bb4c801291708.pdf
    • http://swastikpearls.com/uploads/1/3/0/5/130589243/numikorufimexov-sofulobiwubes-mavogalil.pdf
    • http://thyfaulttough.com/uploads/1/3/0/5/130588740/3598483.pdf
    • http://cpanel.vanphucthuduc.com/uploads/1/3/0/5/130590208/9ac8634a2ebe6ad.pdf
    • http://sheridanpollinaphotography.com/uploads/1/3/0/6/130621840/f2d76ac.pdf
    • http://mail.rochestersportperformance.com/uploads/1/3/0/4/130483631/7627712.pdf
    • http://celebritycaque.com/uploads/1/3/0/5/130588511/9b9b7214.pdf
    • http://keithclavet.com/uploads/1/3/0/5/130539128/60d4b3f5443.pdf
    • http://wellfitunionsport.com/uploads/1/3/0/6/130621022/tunapugijoxobuge.pdf
    • http://ralphcoevents.com/uploads/1/3/0/7/130738944/789401ee629f8.pdf
    • http://backyardbirdpublishing.com/uploads/1/3/0/4/130492771/8822139.pdf
    • http://smtp1.ecoledemusiquejoliette.com/uploads/1/3/0/8/130814713/3564236.pdf
    • http://www.huffnpuffpaddling.com/uploads/1/3/0/5/130546803/4841191.pdf
    • http://novasparockyhill.net/uploads/1/3/0/5/130588649/gosowedojike.pdf
    • http://sistahspacemidwifery.com/uploads/1/3/0/2/130270942/viles.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e66a.bin
1539f451b99c1b344506e1f88f36cfe4e7d6d28ed358f4a775892a249e2b2fcd		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE66A 10544 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.