Malicious PDF — malware analysis report

Static analysis result for SHA-256 3192bb80595d4c55…

MALICIOUS

PDF

44.7 KB Created: 2020-03-23 13:45:43 +02:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 64b401ad07233a62f9048bab1661097c SHA-1: a4ca37d832edc752dcab89242fd07574e5743b0f SHA-256: 3192bb80595d4c550791a5f7320ad1395e79a8bc18bb3cef43f5d21beba7f693
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a large number of external links, identified by the PDF_SEO_LINK_FARM heuristic. The document body, though partially corrupted, contains references to URLs such as http://tripanmarketing.com/uploads/1/3/0/5/130588611/130588611.html#pasar+de+centigrados+a+fahrenheit+formula and http://arborvitaescreen.com/uploads/1/3/0/5/130539090/2c1953f2aa5.pdf. This indicates a likely attempt to direct users to potentially malicious or deceptive content hosted on numerous domains.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://tripanmarketing.com/uploads/1/3/0/5/130588611/130588611.html#pasar+de+centigrados+a+fahrenheit+formula
    • http://arborvitaescreen.com/uploads/1/3/0/5/130539090/2c1953f2aa5.pdf
    • http://andreagurnari.com/uploads/1/3/0/3/130323175/remitekipuxagi.pdf
    • http://chryslerofneworleans.com/uploads/1/3/0/4/130476144/fapijunopuligum-judup-gatixalureze-nular.pdf
    • http://prayingforpicayune.com/uploads/1/3/0/4/130483390/3535394.pdf
    • http://dorememusictherapy.com/uploads/1/3/0/6/130620997/gimipesusejozisabom.pdf
    • http://bluegooseproperties.net/uploads/1/3/0/9/130969304/ea66b.pdf
    • http://roborooter.net/uploads/1/3/0/6/130604255/tijotudabanop-javisepogepana.pdf
    • http://calluponthename.com/uploads/1/3/0/5/130539202/5163383.pdf
    • http://andersonsmasonry.net/uploads/1/3/0/4/130435784/taxogafevereja-vijuzilafituvow-mivelewelaz.pdf
    • http://tlceducationalservices.com/uploads/1/3/0/6/130620590/2154407.pdf
    • http://www.giftandstitch.co.uk/uploads/1/3/0/6/130621313/bevipujufusibane.pdf
    • http://streamingcolorado.com/uploads/1/3/0/9/130969448/d2b83adb5.pdf
    • http://shundapgh.com/uploads/1/3/0/5/130544384/gonitituvapu.pdf
    • http://edu.greenpc.com/uploads/1/3/0/2/130272266/8360572.pdf
    • http://mta-sts.mx.rebeccaprosper.com/uploads/1/3/0/6/130604349/5301865.pdf
    • http://buildingbiodiversity.club/uploads/1/3/0/4/130494289/9472503.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00006faa.bin
d03e4b77333df9d834e71b4a67d498d1146910162fac2a38eddd79b185afa987		 pdf-font-stream PDF embedded font (sfnt) at offset 0x6FAA 8012 bytes
font_01_sfnt_off00008d3f.bin
0cc7d987b4e16397ef313ec0d1375f7b14fb19e88b64a3780f7835187f2ef04c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x8D3F 16416 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.