Malicious PDF — malware analysis report

Static analysis result for SHA-256 31b9ee4728f0d252…

MALICIOUS

PDF

33.3 KB Created: 2020-06-06 01:38:28 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: ffabe51f87f2d5fb83d4a16389607dd1 SHA-1: a3c6657897e78f6da73b8dbaf419b951e63dff46 SHA-256: 31b9ee4728f0d2522b495785d75779973ce3c852e9625767b376bf06a196f818
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF file contains numerous embedded URLs, many of which point to domains associated with SEO spam or link farms. The document body, though partially corrupted, includes text that appears to be a lure for "Solidworks practico 1". The PDF_SEO_LINK_FARM heuristic firing indicates a high volume of external links, suggesting a malicious intent to redirect users to potentially harmful content or phishing sites. No scripts were extracted from this sample.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://4kj.undesirable.us/uploads/1/3/0/6/130639140/130639140.html#solidworks+practico+1
    • http://spoilmebeautyboutique.com/uploads/1/3/0/6/130604309/wazutelilezopenikef.pdf
    • http://hostmaster.wildlife-cameraman.com/uploads/1/3/0/6/130639459/7398067.pdf
    • http://pelicansmotel.com.au/uploads/1/3/1/1/131164185/384a5b.pdf
    • http://4kj.undesirable.us/uploads/1/3/0/6/130639140/terms.html
    • http://4kj.undesirable.us/uploads/1/3/0/6/130639140/dmca.html
    • http://4kj.undesirable.us/uploads/1/3/0/6/130639140/policy.html
    • https://sujotupuro.files.wordpress.com/2020/06/2990349505.pdf
    • https://befekalud.files.wordpress.com/2020/06/79102305810.pdf
    • https://bewutorabat.files.wordpress.com/2020/06/duratuke.pdf
    • https://zofawatige.files.wordpress.com/2020/06/32710404471.pdf
    • https://segokowiw.files.wordpress.com/2020/06/jamasatoxofowudivunigi.pdf
    • https://kopuzikofofa.files.wordpress.com/2020/06/64239799659.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000561d.bin
d9dc832991cbb25adb0ebd2e10ff4cd0cbd80c8049791b69ed059893996a928e		 pdf-font-stream PDF embedded font (sfnt) at offset 0x561D 10684 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.