Malicious PDF — malware analysis report

Static analysis result for SHA-256 31b5c38b44c13d73…

MALICIOUS

PDF

48.9 KB Created: 2020-04-01 17:54:24 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: fefbf1a17744fe414db79255b9ce8d10 SHA-1: 610e6a466adc81432b49cdc68e229392bcbd625b SHA-256: 31b5c38b44c13d7387920631e0671431a01f31abf886549a4c1e965d7b3f802c
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains a significant number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, suggesting a link farm or redirection scheme. The primary purpose appears to be directing users to these external resources, potentially for SEO manipulation or to host further malicious content. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://absolutedimensioninc.com/uploads/1/3/1/4/131455463/131455463.html#energia+de+mares+y+oceanos
    • http://amor-mundi.org/uploads/1/3/0/6/130604176/4898900.pdf
    • http://fancyfishupcycling.com/uploads/1/3/0/8/130874175/1da62.pdf
    • http://troop104madison.org/uploads/1/3/0/6/130639438/6258238.pdf
    • http://reikiforalternativehealing.com/uploads/1/3/0/6/130603772/adaf32f56a79e.pdf
    • http://vancouverislandsafari.com/uploads/1/3/0/7/130776072/cd4721ac99e0f47.pdf
    • http://modehealthandfitness.com/uploads/1/3/0/2/130272387/neletel.pdf
    • http://lacysphotos.com/uploads/1/3/0/7/130739682/8564091.pdf
    • http://commercialcompliance.com/uploads/1/3/0/6/130604112/ketojowawu_jowevudazedin_xozolozufugaje.pdf
    • http://bpreparednow.com/uploads/1/3/1/0/131070487/begetopexuf_fadimewezazo_vatesazu_zozoderin.pdf
    • http://countrycousinssp.com/uploads/1/3/0/6/130621134/jamuxizowi.pdf
    • http://environmoment.com/uploads/1/3/0/6/130621908/07b5206ebcce.pdf
    • http://laserartistryfasa.net/uploads/1/3/0/3/130324137/3772991.pdf
    • http://sffclions.org/uploads/1/3/1/3/131397989/5443797.pdf
    • http://rosecityhealth.com/uploads/1/3/0/8/130814042/391e10148a.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off00007372.bin
a57755bc34c0399fd7d0a8e1d22f84ff68b7b95c9830ca14f2a3f62ec5501651		 pdf-font-stream PDF embedded font (sfnt) at offset 0x7372 10388 bytes
font_01_sfnt_off00009616.bin
e91619dfd4c72a85464d95ef1ba4e67df13020651c42071bafbe521a61d9f7fc		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9616 2652 bytes
font_02_sfnt_off00009f7d.bin
779aa567746046747dac965df7fdfb06ff632674a0a99ce247a327bf89f0fa63		 pdf-font-stream PDF embedded font (sfnt) at offset 0x9F7D 16036 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.