PDF malware analysis — malicious · 300cda5b8d674d39

MALICIOUS

PDF

61.4 KB Created: 2020-03-11 02:50:39 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)

MD5: 6b8c6ddf7a255cd85fa784acc378861d SHA-1: 18105fe6dfea1b5b38222b15192ec4275032cc53 SHA-256: 300cda5b8d674d39f25a73566482d316c893474a394437d0fdf20d127adc7e05

62 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious Link

The PDF file contains a large number of external links, a technique often used for SEO manipulation or to redirect users to malicious sites. The primary heuristic identified a link farm structure, and multiple external URLs were extracted, pointing to various domains. The document body contains garbled text and a URL that appears to be the main lure.

Heuristics 3

Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM

Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
External URI info PDF_URI

PDF contains an external URL action
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://74-123-73-250.mgwnet.com/uploads/1/3/0/5/130539016/130539016.html#suara+surat+ayat+kursi+mp3
- http://christiancardsandphotos.com/uploads/1/3/0/9/130969934/riguruguneb.pdf
- http://solidinvestmentgroupbvba.com/uploads/1/3/0/5/130540284/702346.pdf
- http://www.fouadabcreates.com/uploads/1/3/0/2/130270934/goduzapopejup.pdf
- http://wavybulletin.com/uploads/1/3/0/6/130620297/piwusuwipebuku_vunurudofiki_rukejezovi_zonafesavuxod.pdf
- http://cypress-it.com/uploads/1/3/0/4/130483299/dozikago.pdf
- http://ganailsbeautyschool.com/uploads/1/3/0/5/130543092/5776180.pdf
- http://cafecancun.us/uploads/1/3/0/3/130323110/kunaji-wodoravuku-wetotudadomawu.pdf
- http://cnaughty.com/uploads/1/3/0/3/130313215/wotoxasifovux_velanosunogumal_totapixepug_pifaxosemuduv.pdf
- http://ouachitavacation.com/uploads/1/3/0/6/130604247/mapovezu.pdf
- http://nyimahboles.com/uploads/1/3/0/7/130775878/divupumukazoji_liwawaxuri_wixaboxuwanib_bivefimidexenep.pdf
- http://jamessharp.net/uploads/1/3/0/9/130969406/xujipetot.pdf
- http://uf-llc.com/uploads/1/3/0/7/130775748/7651660.pdf
- http://kennyminh.com/uploads/1/3/0/2/130272092/bidowesabopeber.pdf
- http://naturalbalancetherapies.org/uploads/1/3/0/6/130621405/wakamomesuzedaz-gozotidomijiki-bubupinerig-bitexakewopov.pdf
- http://www.tamparunningcoach.com/uploads/1/3/0/9/130969075/maxikabopebe.pdf
- http://troleizservice.com/uploads/1/3/0/6/130639131/puwipagaviji.pdf
- http://rendopoly.com/uploads/1/3/0/7/130740192/lesagajibamepog_fawure_rinujakepu_tusosifizitixoj.pdf
- http://mybattlefieldlife.com/uploads/1/3/1/0/131070972/vugabilel_xoriwetituwe.pdf
- http://cycling.ac.nz/uploads/1/3/0/7/130776458/7672719.pdf
- http://www.capssinc2.org/uploads/1/3/0/4/130489742/nofogibomabede.pdf
- http://rahimafroozips.info/uploads/1/3/0/7/130740363/xalumamifa.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`stream_006_off0000bc1e.bin` `41e309f499cfcb6284c711339c994d757687eddef7ea667f49857619cc227775`	decompressed-pdf-stream	PDF FlateDecoded stream at offset 0xBC1E	24384 bytes
`font_00_sfnt_off00009d61.bin` `09b678fb93f37bb9d40603d93f90ecee06f3c6a3ed0b6cd86aeecbef702ddbe9`	pdf-font-stream	PDF embedded font (sfnt) at offset 0x9D61	7884 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.