Malicious PDF — malware analysis report

Static analysis result for SHA-256 2ebb9a7f74cdd7f8…

MALICIOUS

PDF

85.5 KB Created: 2020-04-13 05:45:41 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 8c07b35679a11635b1f5170b780ebb64 SHA-1: e588326cf19c960365165bc9a37ed605b85f933c SHA-256: 2ebb9a7f74cdd7f8a317553301be1de5003e4224941d6203786239752f699d0c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or a distribution mechanism for further malicious content. The embedded URL also directs to an external resource. No scripts were extracted from this sample, limiting the ability to determine specific payload delivery or execution methods.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://oldkingpartners.com/uploads/1/3/0/6/130639885/130639885.html#kung+fu+wing+chun+%282010%29+full+movie+english
    • http://annescleaning.net/uploads/1/3/0/5/130551179/zimub.pdf
    • http://stylishbelleboutique.com/uploads/1/3/1/1/131163858/girebukekasepes_bidipo.pdf
    • http://edwardsautomotivemillingandi.com/uploads/1/3/0/6/130604520/9c2fee1679ec9f5.pdf
    • http://peaksorrento.com/uploads/1/3/0/3/130313363/344563.pdf
    • http://arvestrugs.com/uploads/1/3/0/8/130814845/626c1ce.pdf
    • http://roosmarketing.nl/uploads/1/3/0/4/130476573/1875706.pdf
    • http://roosmarketing.nl/uploads/1/3/0/4/130476573
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00009db2.bin
1e3e911f1415207be1ee35fa781860259e81406aec7507be5d2ca6bd603afa82		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9DB2 12016 bytes
font_01_sfnt_off0000c422.bin
c7a79e675f9954270e68e6b211a4bdf31b996320314a41a588f84b73fa082dea		 pdf-font-stream PDF embedded font (sfnt) at offset 0xC422 34556 bytes
font_02_sfnt_off00012e84.bin
448b246580805eb4c96691d95e1c1b851f0920a3353f3f5918d4f53fb574bf35		 pdf-font-stream PDF embedded font (sfnt) at offset 0x12E84 17652 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.