Malicious PDF — malware analysis report

Static analysis result for SHA-256 33b6da768a3faa76…

MALICIOUS

PDF

37.4 KB Created: 2020-04-07 09:24:00 +03:00 Authoring application: wkhtmltopdf 0.12.1.4 (via Qt 4.8.6)
MD5: 7e562768626990a7ea4cadcccf75965e SHA-1: 9214ca90b6e349f17d6685bfaa58d4950f2defc7 SHA-256: 33b6da768a3faa76bcc79eb05c0ac8d50844bc6e264a827249fabd867cb1a679
62 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 User Execution: Malicious File

The PDF file contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. These links point to various domains, many of which appear to be part of a link farm. The primary purpose seems to be SEO manipulation or directing users to potentially malicious content hosted on these external sites. No scripts were extracted, and the document body is largely unreadable, so the rationale is based on the link farm heuristic and the presence of numerous unknown URLs.

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • External URI info PDF_URI
    PDF contains an external URL action
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://kyflowernseed.com/uploads/1/3/0/6/130621283/130621283.html#musica+para+flauta+dulce+faciles
    • http://utilidrone.fr/uploads/1/3/0/3/130323535/e7f9e5d0e5689a5.pdf
    • http://benlewisanimation.com/uploads/1/3/1/3/131380916/wogubine-jusakijagabozu-jitoferemi.pdf
    • http://hoomanabarbell.com/uploads/1/3/0/6/130621205/joxutigu.pdf
    • http://spectacularvintageevents.com/uploads/1/3/0/9/130969993/cbb7d06a6ee.pdf
    • http://daytontaxresolution.com/uploads/1/3/1/4/131452952/larikutusodo_kopexunixufisaw.pdf
    • http://happybotanistcan.com/uploads/1/3/0/4/130435791/3961030.pdf
    • http://thinkmental.science/uploads/1/3/0/6/130621997/buwuxubumebame-tiwot-garibi-gipilapokawuko.pdf
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000541d.bin
ce31b9ef2e9ecf20b2fd3ceaa8bcedabaff45b641f0b6f63521c4a5d7d8668f6		 pdf-font-stream PDF embedded font (sfnt) at offset 0x541D 8172 bytes
font_01_sfnt_off0000721f.bin
264da58494b94e4704bc59a91ed7188a2e0b9fc1fa50d69edef70f2621d1673f		 pdf-font-stream PDF embedded font (sfnt) at offset 0x721F 16080 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.